2

What's the easiest security mode for implementation in WCF when:

  1. Both client and service are .NET applications.
  2. Client and service are negotiating over internet.
  3. SSL in not available.
  4. Port 80 (web) is preferred for communication.
  5. And Using a x 509 certificate should be the last option (same credentials in configuration file at both sides is preferred, if possible)
Xaqron
  • 29,931
  • 42
  • 140
  • 205

3 Answers3

1

If you are looking for a way to do username/password authentication, you can use wsHttpBinding and create a custom class that inherits from UsernamePasswordValidator and overrides the Validate method.

Here is an example: http://codebetter.com/petervanooijen/2010/03/22/a-simple-wcf-service-with-username-password-authentication-the-things-they-don-t-tell-you/

markt
  • 5,126
  • 31
  • 25
0

The easiest security to implement is a lack of security, though not recommended at all:

<message clientCredentialType="None" />

<transport clientCredentialType="None" />

The next, which actually provides some security, would probably be Windows (see a tutorial on enabling this here) or Password for transport level security. See here for an MSDN overview of available credential options.

But to be honest there is quite a broad area for you to cover other than just specifying easiest. You can combine Transport and Message security, go with either or, use different credential types and so on - really, the easiest depends on the requirements, which, given point 5 of your question, would seem to reinforce my recommendation of Windows or Password authentication for this scenario.

Grant Thomas
  • 44,454
  • 10
  • 85
  • 129
  • So what kind of security WOULD you like? If nothing, SSL, and X509 certs aren't options then update your question with what are options. Then someone could suggest how to implement security from there. – Jeff LaFay Feb 18 '11 at 16:57
  • If `SSL`, and `X509` are the only options, I've got my answer (I will go with `X509`). I wish to find a way to use some plain username/password in configuration files. – Xaqron Feb 18 '11 at 17:00
0

What do you mean by security? It is possible to use "security" over Internet without certificates if your security actually only mean username and password (client authentication) and you are happy with plain text messages. If you require any form of encryption and signing you need certificate or you have to build your own solution. (Using Windows security mode is not possible because it works only in the same AD domain or trusted domains.)

WCF itself provides by default only UserName/Password (WS-Security UsernameToken Profile with plain text password) over secured channel (transport or message security). It is possible to use UserName/Password over unsecured channel but in such case you will send plain text password over Internet. UsernameToken Profile also offers digested password - it is not considered secure but it is used very often. WCF doesn't support it but there is some implementation available.

I would go with HTTPS. Why is in not possible?

Community
  • 1
  • 1
Ladislav Mrnka
  • 360,892
  • 59
  • 660
  • 670
  • I cannot use `SSL` and also don't want to send username/password over the wire. I prefer storing username/password at both sides (client & service) and encrypt the message with them (using built-in WCF security) but I don't know what's the nearest solution to my preference. – Xaqron Feb 18 '11 at 18:26
  • @Xaqron: What do you mean by encrypting message with user name and password? – Ladislav Mrnka Feb 18 '11 at 19:13
  • I mean no SSL, no X509. Just encrypting with symmetric algorithms at code level. I can do it myself but looking for a built-in method. Only peers which has the username/password can communicate then. – Xaqron Feb 20 '11 at 13:22
  • @Xaqron: Such solution will not be secure. You talking about symmetric encryption where **all clients and server has to share same key**. Once any client get compromissed (and key is stolen or shared with anybody else) the security is gone. User name and password has nothing to do with encryption. – Ladislav Mrnka Feb 20 '11 at 14:12
  • In fact the client is another server of mine. – Xaqron Feb 20 '11 at 15:00