2

For a customer, I've to use WCF to communicate between a client and a server application.

My application was using a WSHttpBinding to communicate, but now, the customer doesn't to install any SSL certificate, because:

  • The server is only VPN accessible, so the communication is already encrypted
  • Their computer aren't in a domain, so they can't use a domain CA
  • The name of the server hasn't a public IP so they can't buy a SSL certificate for this ip

So I started to look how to don't use any SSL certificate, but I got some problems:

I saw that I should use a "TransportCredentialOnly" settings for the security mode, but this settings isn't available for "WsHttpBinding". So I decided to use the basicHttpBinding, which has this option, but it seems that the basicHttpBinding doesn't offer the possibility to use CustomUserNamePasswordValidator.

So how can I do this? Every search result I found are either using a SSL certificate or don't have customUserNameValidator.

Thank you very much for any help.

J4N
  • 19,480
  • 39
  • 187
  • 340

1 Answers1

2

This is very rare scenario where sending unsecured username and password make sense. You need custom binding for this because default bindings don't allow this. This answer contains two options you can use. Just be aware that first option will allow you to send plain text user name and password over unsecured transport but it will break WSDL generation (that is a bug in WCF).

Community
  • 1
  • 1
Ladislav Mrnka
  • 360,892
  • 59
  • 660
  • 670
  • Yes, I decided to use the ClearUsernameBinding( http://webservices20.blogspot.com/2008/11/introducing-wcf-clearusernamebinding.html ), but I had to modify a lot of things to make it works(it transferts a lot of files). It's a shame that MS doesn't allow the developer to decide what kind of security it needs, I don't understand why not using a SSL certificate and using Basic auth is possible if using a custom auth without SSL isn't. The developer should be encouraged to use SSL, but he should have an easy way to develop its application without ssl. – J4N Sep 06 '11 at 09:03