I want to port an existing ASP.NET Web Service to WCF so the resulting Web Service (1) is RESTful, (2) uses JSON as its request/response format, (3) has a custom authentication mechanism.
After a lot of googling, random coding, and wanting to hit my head against the wall, I found that...
A webHttpBinding has to be used to make the Web Service RESTful. But...
webHttpBinding does not support HTTPS hosts.
webHttpBinding does not support UserName authentication.
webHttpBinding does not even support message security.
An endpoint behavior with <enableWebScript/> has to be used to support ASP.NET AJAX. But...
What is "ASP.NET" AJAX?
What if I want to consume the Web Service using "regular" AJAX?
And, most importantly...
Can WCF do what I want to do in first place?
If not, what other platforms could I use?
I've written WCF service that does both SOAP and REST with XML and JSON, and custom auth. I've pushed the custom authentication into HTTP module, which does basic auth over https. See Custom HTTP Basic Authentication for ASP.NET Web Services on .NET 3.5/VS 2008 and WCF POX, JSON and SOAP Coexist.
In the setup you describe, the web servier (i.e. IIS) will be responsible for encryption (HTTPS) and authentication (e.g. basic authentiction). IIS can be extended with a custom authentication mechanism (just google for "IIS module handler").
It's a bit strange that it has to be delegated to IIS and is not part of WCF. But it's no problem at all.
Related
I am making a choice between ASP.NET Web API and WCF.
I am not quite sure about the authentication part. Could some one shed some light on the differences?
I suppose there would be no actual difference under the hood. After all, the authenticaton mechanism refers to the HTTP request level on the ASP.NET engine integrated in IIS. It should have nothing to do with whether the module responding the specific HTTP request is implemented as an ASP.NET web page, WCF or Web API endpoint.
Nevertheless, there would be some differences in modelling and perhaps in configuration. WCF models the authentication mechanism as a "WCF authentication service" while Web API uses the normal security model of ASP.NET.
Use this WCF and ASP.NET security guide and this Web API security guides as a reference.
Hope I helped!
I have a web service running outside of .net that I need to invoke from a .NET client.
I was given a .NET client written in Visual Basic to test with.
The .NET client can access the web service with a clear-text SOAP message using basicHttpBinding.
I can configure a policy/binding for the external web service to use the Kerberos token for Message Level Protection and authentication. I can access this web service from the .NET client by modifying the configuration file to use wsHttpBinding.
Now, the requirement is to use the Kerberos token for authentication only and not sign/encrypt the SOAP message. That is, I only need the tags in the SOAP header. I have this configuration working on the external web service, but now I want to modify the configuration file so the .NET client only sends the and does not sign/encrypt any part of the SOAP message.
Is it possible to modify the .net client's .config file to do this?
My understanding is that basicHttpBinding can not be modified to use a Kerberos token (only UserName/Certificate).
I've tried disabling signing/encryption in wsHttpBinding via an attribute such as "defaultProtectionLevel=Sign/SignEncrypt/None", but this isn't available in wsHttpBinding (or I can't find it). I can only disable or enable message level protection and authentication with .
I've also tried building a customBinding, but can not disable signing/encryption and use the Kerberos token for authentication only.
Does anyone have a solution or some tips that could point me in the right direction to go about solving the above issues?
I have a WPF application that uses Client Application Services to allow authentication (username/password logon) against a related web application that uses Forms authentication and the SqlMembershipProvider/SqlProfileProvider/SqlRoleProvider. This all works and I can reliably validate a user/password combination.
The WPF application also calls a number of WCF services that are exposed by the same web application as is used for the CAS authentication. I now want to be able to pass through the authentication details (from Client Application Services) to the WCF services in order that I can identify the user that was authenticated within those services. I also need to be able to prevent the WCF services from being used if no authentication has taken place.
I have found a couple of .NET 3.5 examples where CAS authentication is used against .asmx web services, or authentication is provided against WCF Data Services which does not use ClientBase and has authentication facilities built in, but I cannot find any examples with pure WCF. Can anybody point me toward instruction that will enable this scenario? I am using .NET 4.0 for this project.
I have also found this stackoverflow question but again this is answered for .asmx web services and not for WCF.
The closest I have gotten involves the creation of an OperationContextScope and then copying the cookie header from the ClientFormsIdentity object to an HttpRequestMessageProperty and adding this to the OutgoingMessageProperties of the current OperationContext. I then call one or more methods of the service within the lifespan of the OperationContextScope. Thing is, when I then get to the WCF service, I still cannot see anything that resembles authentication in such a way as I can identify the original user. This methodology has been taken from various examples but I am obviously missing a step at the WCF end.
I think you need to switch to the Web API that Microsoft is now having people use for WCF Services. Check out Using Forms Authentication with Web API and http://aamirposwal.blogspot.com/2012/05/aspnet-web-api-custom-authorize-and.html
Found it.
In my binding, I specified allowCookies="true".
According to Wiktor Zychla, "setting the AllowCookies property on a BasicHttpBinding to true turns on the automatic cookie management" - this means that any attempt to set a cookie in code will be ignored and this is what I was doing.
I'm beginning to have doubts as to if this is possible but I'm hoping that someone out there has a deeper understanding of the mechanics than I do.
We are planning to host a pure javascript form in a SharePoint site that is secured using ADFS. This form needs to make calls to a WCF REST service. We want to be able to use the same FedAuth cookie / SAML token issued to the user from ADFS in the WCF service for authentication but so far I have not really found a way to pass it using javascript.
So to break it down, how do you call a WIF / SAML secured WCF REST service from javascript?
I am very new to using WCF services. Right now I have a WCF service that I call using jQuery. I'm concerned about users making unauthorized calls to the service. What would be the best way to secure my service?
If this is a browser app and you're worried about security, presumably you already have some sort of authentication mechanism (cookies, sessions, something). All these are accessible from WCF services (I'm assuming you're using webHttpBinding or basicHttpBinding?) via the WebOperationContext.Current.IncomingRequest property. You can check/validate a cookie (or whatever else) from your service code, or write a cross-cutting MessageInspector to apply the check to all methods on your service behavior. WCF services also can be integrated with traditional ASP.NET authentication (forms, etc) if you host the service with the compatibility flag. The browser app logs in normally, and your service can consume the credential/token/whatever.
you can use a certificate to sign the WCF messages (it's all in the WCF Settings) on both sides (client and server)
Here is some detailed explanation:
Message Security