SSL / UserName and password security

Hi There,
Currently we have: a web application with SSL, and an asmx webservice which
uses user name and password in soap header for the client authentication.
It seems to me as we already use SSL so for our new WCF webservice, we
should use transport security (or both with message security).
Also as we keep all user credential in sql server db and have our custom
code for authentication and authorization (role based) so for WCF webservice
we should use custom authentication.
Am I right in the above assumptions?
Is there any code sample to show Internet authentication on SSL, with user
name password custom authentication.
Thanks,

If you are already using asp.net, you can hook into the asp.net
security providers:
http://travisspencer.com/blog/2007/1...viders_to.html

For custom authentication using username/password over SSL - yes this
is possible (I use this pattern); you need to provide a
UserNamePasswordValidator implementation for login and an
IAuthorizationPolicy implementation for the roles (you need to set the
"Principal" item in the evaluationContext.Properties dictionary to a
suitable IPrincipal).

You also need to edit web.config, to set the serviceAuthorization's
principalPermissionMode to "Custom" (adding your policy under
authoirizationPolicies), and the userNameAuthentication's
userNamePasswordValidationMode to "Custom", specifying the
customUserNamePasswordValidatorType.

Let me know if you need more, but just searching on the above keywords
should be a good start.

Marc

Thanks for the information Marc, I am going to test in shortly.

we are using sing asp.net but I'd rather to use our custom user/role
management and db tables (in the past for asmx service we used this
approach)
1. now while I am designing our new WCF webservice, seeing a lot of
recommendations in WCF books to use message security for Internet, but I do
not understand the value of it for our scenario. our webs service clients
and our host have point-to-point communication over the internet and SSL
encrypts everything. When message arrives at webservice we have it
unencrypted. So I am not sure why we need message security and If it is
recommended can we combine it with our existing SSL.
2. Also is there any real advantage using SOAP1.2 for our case? as
basicHttpBinding does the same thing for us and is more interoperable with
various clients.
3. And last thing, one suggested to use MessageContract and for operation
requests so easily have access to client credentials. Is it a good approach?


Thanks again,
Masoud


"Marc Gravell" <marc.gravell@xxxxxx> wrote in message
news:OeEQjDsKIHA.5920@xxxxxx

1: I agree; I don't need ws-trust etc, so for simple services I use
TransportWithMessageCredential over SSL. Job done, and works with most
clients.
2: Again, if it does what you need, stick with it. Actually, there are
some very good use-cases for using "basic", such as true streaming
(most other implementations can't do this quite as neatly, as the
entire message is needed first)
3: Not familiar with it

Actually, given your description, you might also be interested in the
REST support in 3.5; this again follows the "keep it simple, stupid"
approach, i.e. standard HTTP encryption/auth (SSL, etc), and simple
data transfer.

Thank you the username/password authentication worked as you mentioned.

I created a class as :
CustomMembershipProvider : MembershipProvider
public override bool ValidateUser(string username, string password)

and then in Web.config:
<serviceCredentials>
<userNameAuthentication
membershipProviderName="CustomMembershipProvider"
userNamePasswordValidationMode="MembershipProvider" />

Now the issue is in ValidateUser I want to create a custom user object based
on username and make it available for my operation contract.
So in ValidateUser I tried to access HttpContext to store user info, but it
seems WCF service does not support it except I change WCF service mode to
Asp.Net compatible mode.
I am not sure what is the best way to pass username or user object to the
operation. Any idea?
Also we are using a webfarm for our web application.

Masoud


"Marc Gravell" <marc.gravell@xxxxxx> wrote in message
news:OeEQjDsKIHA.5920@xxxxxx