1

I have a problem with a service I am writing.

We currently have a webapp that is hosted on an internal secure network.

There is now a requirement to provide a service which expose our web app business functionality for a client to consume in order to create a native tablet app.

The mobile device will use VPN to get onto the network. To access our webapp, the user would normally need to use a user name and password. ie. There is no SSL. The username and password is stored in our db in custom set up (no ASP membership, etc).

Now, I have raised the lack of SSL as an issue, but this has been shot down, and those in charge of such matters feel that the security needed to get into the internal network is enough.

I realise this means app is open to INTERNAL user malicious behaviour from those inside network but outside of app user group

SO, this now raises an issue when it comes to creating my service in WCF. Authentication without SSL appears to be quite fiddly. I did manage to find:

[Yaron Naveh's ClearUsernameBinding][1] http://webservices20.blogspot.co.uk/2008/11/introducing-wcf-clearusernamebinding.html

I felt that this was about to solve all my problems until I realised that I would have to alter my plans to offer RESTful service with json, and I would now have to use SOAP.

Still, I was fine with this until I realised that SOAP had bandwidth issues due to the envelope that comes with the packet. This worries me, as it is a service which will be getting consumed by a mobile app over 3g, and there are bandwidth limits.

So, without SSL being an option (please don't say otherwise), do you think that using SOAP instead of REST here is the better option? Should I be concerned about the bandwidth? (rows counts returned will not be exceeding 200, and most will be MUCH smaller). Roughly how much of an overhead are we talking?

Is there an option with wcf REST config where I can authenticate without a certificate (using some form of custom authentication)? This would be preferable to me.

Milambardo
  • 330
  • 2
  • 14

2 Answers2

1

The WSDL envelope is not in megabytes range. It needs a few kilobytes per request for normal configurations. Therefore, the possible bandwidth bottleneck depends heavily on the requests/time ratio.

You could always implement a custom authentication mechanism with tokens. The basic idea would be this...

  • When the user authenticates, he gets a token which expires after 20 minutes or so, if the user does not act in that time
  • The token is stored (encrypted) in a client side cookie
  • The cookie is used in each client's http request
  • The REST service examines the user's cookie, extracts the token and concludes if the user is authenticated or not

I would strongly suggest to follow the Membership API path. The logic that I describe is the one used by the Membership API. Implementing it on your own, would just be time overhead and a bug generator. I don't see why you have to reinvent the wheel...

Hope I helped!

Pantelis Natsiavas
  • 5,293
  • 5
  • 21
  • 36
1

The performance comparison between REST and SOAP web services was discussed in detail in Rest vs. Soap. Has REST a better performance?.

You can certainly implement custom authentication in a WCF REST service, without certificates or a secure transport. One option is to use a binding similar to the following: 

<bindings>
    <webHttpBinding>
        <binding name="default">
            <security mode="TransportCredentialOnly">
                <transport clientCredentialType="Windows" proxyCredentialType="Windows"/>
            </security>
        </binding>
    </webHttpBinding>
</bindings>

http://msdn.microsoft.com/en-us/library/bb924478(v=vs.110).aspx

Including the Microsoft caveat: “This mode does not provide message integrity and confidentiality. It provides HTTP-based client authentication. This mode should be used with caution. It should be used in environments where the transport security is being provided by other means (such as IPSec) and only client authentication is provided by the WCF infrastructure.”

The following link provide comprehensive overview of a custom WCF REST authentication solution: http://www.codeproject.com/Articles/304877/WCF-REST-4-0-Authorization-with-Form-Based-Authent

Community
  • 1
  • 1
Seymour
  • 7,043
  • 12
  • 44
  • 51