Custom authentication in WCF through basicHttpBinding

Question

I have my WCF working. I have the following configuration for it:

<bindings>
  <basicHttpBinding>
      <binding name="HttpStreaming" maxReceivedMessageSize="65536000" closeTimeout="00:05:00" bypassProxyOnLocal="true" openTimeout="00:05:00" receiveTimeout="00:30:00" sendTimeout="00:30:00" transferMode="Streamed" messageEncoding="Mtom">
        <readerQuotas maxDepth="32" maxStringContentLength="8192" maxArrayLength="65536000" maxBytesPerRead="4096" maxNameTableCharCount="16384" />
        <security mode="None">
          <transport clientCredentialType="None" proxyCredentialType="None" realm="" />
        </security>
      </binding>
  </basicHttpBinding>
</bindings>

<behaviors>
  <serviceBehaviors>
    <behavior name="CifsManager.CifsManagerServiceBehavior">
      <serviceMetadata httpGetEnabled="true" />
      <serviceDebug includeExceptionDetailInFaults="true" />
    </behavior>
  </serviceBehaviors>
</behaviors>

<services>
  <service behaviorConfiguration="CifsManager.CifsManagerServiceBehavior" name="CifsManager.CifsManagerService">
    <endpoint address="" binding="basicHttpBinding" bindingConfiguration="HttpStreaming" contract="CifsManager.ICifsManagerService"></endpoint>
  </service>
</services>

I generated the proxy class for calling the service ServiceClient and I call it in the following way:

var service = new ServiceClient();
service.ClientCredentials.UserName.UserName = "111";
service.ClientCredentials.UserName.Password = "111";
service.bufferSize = int.Parse(ConfigurationManager.AppSettings["BufferSize"]);
var file= service.GetFile();

Here I found the articles where it is described how to solve my problem throught the wsHttpBinding, but using it I get the server error. Could I create the authentication using the basicHttpBinding or I need the wsHttpBinding and how should I do it?

What exactly is your question? You'll want to keep in mind that if you use basicHttpBinding and try and pass credentials, they'll be passed in plain text over the wire and therefore be able to be intercepted... — Zann Anderson, Nov 15 '11 at 16:53
So it is not good idea to use basicHttpBinding, isn't it? And what binding should I use in this case? — Andrew Lubochkn, Nov 15 '11 at 20:19
You'll probably want to use `WsHttpBinding` - then for security you can use `Transport`, `Message` or `TransportWithMessageCredential`. You can read about the differences between these here: http://msdn.microsoft.com/en-us/library/ms731925.aspx — Zann Anderson, Nov 15 '11 at 20:42
Thank you, it helped a lot. Could you please tell me if I should use certificate using WsHttpBinding. Because after your post I'm trying to use this and getting the error **The service certificate is not provided. Specify a service certificate in ServiceCredentials.** could I somehow avoid this certificate? — Andrew Lubochkn, Nov 15 '11 at 21:04
To my knowledge there's no way to use any of those security methods without a cert. You can find links to more information on securing WCF services in my answer to this question: http://stackoverflow.com/questions/8054166/authentication-in-wcf-for-every-call/8067400#8067400 — Zann Anderson, Nov 15 '11 at 21:59
Thanks for the information. You are right these security methods need a cert. And in the case that I'll use **basicHttpBinding** and pass my credential with a plain text, can I transport with not **HTTPS** but **HTTP**? — Andrew Lubochkn, Nov 16 '11 at 09:35

score 0 · Accepted Answer · edited May 23 '17 at 12:22

I'm just going to condense all of this into an answer so it's all in one place and easier to find instead of spread out amidst comments. Using BasicHttpBinding means that your credentials will be passed in plaintext over the wire, meaning they could be intercepted along the way without much trouble. You can avoid this problem by using WsHttpBinding, which allows you to use one of three different security types: Transport, Message, or TransportWithMessageCredential. You can read about these here. Keep in mind, however, that with any of these you'll have to have a certificate of one form or another.

This question has a brief discussion of some other WCF security options. If you're dead set on using BasicHttpBinding and passing your credentials over the wire, you could at least consider masking them somehow before doing so, perhaps an sha1 with a salt or something similar. If you don't want to use any of the built-in and done solutions that are available like ASP.NET Membership, you'll have to figure out on your own what kind of an auth token you want to pass back and forth.

Custom authentication in WCF through basicHttpBinding

1 Answers1