UserNamePasswordValidator and custom authentication

Hello, All!

I have a service that is based on BasicHttpBinding. It also exposes metadata,
so others can see its WSDL.

Now I want to apply custom authentication that will be based on
HTTP basic athentication.

The problem is that my custom validator is not being called, to perform
validation ( authentication ), and client gets 403 error.

So, I setup my BasicHttpBinding, like so

httpBinding.Security.Transport.ClientCredentialType
= HttpClientCredentialType.Basic;

httpBinding.Security.Mode = BasicHttpSecurityMode.TransportCredentialOnly;

Then, I've setup ServiceHost to perform authentication. The code is:

//setting the credentials behavior
ServiceCredentials sc = new ServiceCredentials();
Validator validator = new Validator();

sc.UserNameAuthentication.UserNamePasswordValidationMode
= System.ServiceModel.Security.UserNamePasswordValidationMode.Custom;

sc.UserNameAuthentication.CustomUserNamePasswordValidator = validator;
serviceHost.Description.Behaviors.Remove<ServiceCredentials>();
serviceHost.Description.Behaviors.Add(sc);

Validator code is pretty simple
class Validator : System.IdentityModel.Selectors.UserNamePasswordValidator
{
public override void Validate(string username, string password)
{
//perform validation here
}
}

I suspect that smth is wrong here, but there is no documentation out there that
can assist my problem.

--
With best regards, Vadym Stetsyak.
www: http://vadmyst.blogspot.com

Hi,Vadim!
Did you tried HttpClientCredentialType.Windows instead of
HttpClientCredentialType.Basic ?
OTOH try BasicHttpSecurityMode.Message and not TransportCredentialOnly

Arkady

"Vadym Stetsyak" <vadym_s@ukr.net> wrote in message
news:up$2sck4GHA.4832@TK2MSFTNGP06.phx.gbl...
> Hello, All!
>
> I have a service that is based on BasicHttpBinding. It also exposes
> metadata,
> so others can see its WSDL.
>
> Now I want to apply custom authentication that will be based on
> HTTP basic athentication.
>
> The problem is that my custom validator is not being called, to perform
> validation ( authentication ), and client gets 403 error.
>
> So, I setup my BasicHttpBinding, like so
>
> httpBinding.Security.Transport.ClientCredentialType
> = HttpClientCredentialType.Basic;
>
> httpBinding.Security.Mode = BasicHttpSecurityMode.TransportCredentialOnly;
>
> Then, I've setup ServiceHost to perform authentication. The code is:
>
> //setting the credentials behavior
> ServiceCredentials sc = new ServiceCredentials();
> Validator validator = new Validator();
>
> sc.UserNameAuthentication.UserNamePasswordValidationMode
> = System.ServiceModel.Security.UserNamePasswordValidationMode.Custom;
>
> sc.UserNameAuthentication.CustomUserNamePasswordValidator = validator;
> serviceHost.Description.Behaviors.Remove<ServiceCredentials>();
> serviceHost.Description.Behaviors.Add(sc);
>
> Validator code is pretty simple
> class Validator : System.IdentityModel.Selectors.UserNamePasswordValidator
> {
> public override void Validate(string username, string password)
> {
> //perform validation here
> }
> }
>
> I suspect that smth is wrong here, but there is no documentation out there
> that
> can assist my problem.
>
> --
> With best regards, Vadym Stetsyak.
> www: http://vadmyst.blogspot.com

Hello, Arkady!

AF> Did you tried HttpClientCredentialType.Windows instead of
AF> HttpClientCredentialType.Basic ?
AF> OTOH try BasicHttpSecurityMode.Message and not
AF> TransportCredentialOnly

The problem is that I have to support Basic authentication.
AFAIK Basic authentication requires TransportCredentialOnly

What I've found with Reflector is that Basic authentication is not supported.

BasicHttpBinding creates HttpChannelListener class, which represents channel
(IChannelListener).

And HttpChannelListener uses WindowsUserNameSecurityTokenAuthenticator
to process authentication. This authenticator internally uses LogonUser(...).

As a workaround I one can provide custom IChannelListener class, but this seems to be
an overkill.

--
Regards, Vadym Stetsyak
www: http://vadmyst.blogspot.com

this works for me :

HTH
-----------------
server config :

<service name="MyService.ClassServiceSSL" behaviorConfiguration ="ssl">
<endpoint contract="MyService.IMyServiceSSL"
binding="wsHttpBinding" address ="/paperino/"
bindingConfiguration ="ssl"/>
<host>
<baseAddresses>
<add baseAddress ="https://localhost:8082"/>
</baseAddresses>
</host>
</service>

.....

<behaviors>
<serviceBehaviors>
<behavior name="ssl">
<serviceDebug includeExceptionDetailInFaults ="true"/>
<serviceMetadata httpsGetEnabled ="true"/>
<serviceCredentials>
<serviceCertificate storeName ="My" storeLocation="LocalMachine"
findValue ="CN=localhost" x509FindType ="FindBySubjectDistinguishedName"/>
<userNameAuthentication
userNamePasswordValidationMode="Custom"/>
</serviceCredentials>
</behavior>

....

<bindings>
<wsHttpBinding>
<binding name ="mymessage">
<security mode ="None">
</security >
</binding>
<binding name ="ssl">
<security mode ="TransportWithMessageCredential">
<message clientCredentialType ="UserName"/>
</security >
</binding>


<behavior name="ssl">
<serviceDebug includeExceptionDetailInFaults ="true"/>
<serviceMetadata httpsGetEnabled ="true"/>
<serviceCredentials>
<serviceCertificate storeName ="My" storeLocation="LocalMachine"
findValue ="CN=localhost" x509FindType ="FindBySubjectDistinguishedName"/>
<userNameAuthentication
userNamePasswordValidationMode="Custom"/>
</serviceCredentials>
</behavior>

--------
server code


using (ServiceHost hostssl = new
ServiceHost(typeof(MyService.ClassServiceSSL))) {
ServiceCredentials l_ServiceCredentials = hostssl.Credentials;
l_ServiceCredentials.UserNameAuthentication.CustomUserNamePasswordValidator
= new MyService.MyValidator();
hostssl.Open();



"Vadym Stetsyak" <vadym_s@ukr.net> wrote in message
news:up$2sck4GHA.4832@TK2MSFTNGP06.phx.gbl...
> Hello, All!
>
> I have a service that is based on BasicHttpBinding. It also exposes
> metadata,
> so others can see its WSDL.
>
> Now I want to apply custom authentication that will be based on
> HTTP basic athentication.
>
> The problem is that my custom validator is not being called, to perform
> validation ( authentication ), and client gets 403 error.
>
> So, I setup my BasicHttpBinding, like so
>
> httpBinding.Security.Transport.ClientCredentialType
> = HttpClientCredentialType.Basic;
>
> httpBinding.Security.Mode = BasicHttpSecurityMode.TransportCredentialOnly;
>
> Then, I've setup ServiceHost to perform authentication. The code is:
>
> //setting the credentials behavior
> ServiceCredentials sc = new ServiceCredentials();
> Validator validator = new Validator();
>
> sc.UserNameAuthentication.UserNamePasswordValidationMode
> = System.ServiceModel.Security.UserNamePasswordValidationMode.Custom;
>
> sc.UserNameAuthentication.CustomUserNamePasswordValidator = validator;
> serviceHost.Description.Behaviors.Remove<ServiceCredentials>();
> serviceHost.Description.Behaviors.Add(sc);
>
> Validator code is pretty simple
> class Validator : System.IdentityModel.Selectors.UserNamePasswordValidator
> {
> public override void Validate(string username, string password)
> {
> //perform validation here
> }
> }
>
> I suspect that smth is wrong here, but there is no documentation out there
> that
> can assist my problem.
>
> --
> With best regards, Vadym Stetsyak.
> www: http://vadmyst.blogspot.com

Hello, x!

Thans for the example, I saw it in the WCF technical samples.

But it doesn't suit me, since it uses WsHttpBinding and SSL.
I have to support legacy clients that uses common HTTP Basic
authentication.

What in WCF terms will mean BasicHttpBinding, winth Basic authentication mode set.

x> this works for me :

x> HTH
x> -----------------
x> server config :

x> <service name="MyService.ClassServiceSSL" behaviorConfiguration
x> ="ssl">
x> <endpoint contract="MyService.IMyServiceSSL"
x> binding="wsHttpBinding" address ="/paperino/"
x> bindingConfiguration ="ssl"/>
x> <host>
x> <baseAddresses>
x> <add baseAddress ="https://localhost:8082"/>
x> </baseAddresses>
x> </host>
x> </service>

x> ....

x> <behaviors>
x> <serviceBehaviors>
x> <behavior name="ssl">
x> <serviceDebug includeExceptionDetailInFaults ="true"/>
x> <serviceMetadata httpsGetEnabled ="true"/>
x> <serviceCredentials>
x> <serviceCertificate storeName ="My"
x> storeLocation="LocalMachine"
x> findValue ="CN=localhost" x509FindType
x> ="FindBySubjectDistinguishedName"/>
x> <userNameAuthentication
x> userNamePasswordValidationMode="Custom"/>
x> </serviceCredentials>
x> </behavior>

x> ...

x> <bindings>
x> <wsHttpBinding>
x> <binding name ="mymessage">
x> <security mode ="None">
x> </security >
x> </binding>
x> <binding name ="ssl">
x> <security mode ="TransportWithMessageCredential">
x> <message clientCredentialType ="UserName"/>
x> </security >
x> </binding>


x> <behavior name="ssl">
x> <serviceDebug includeExceptionDetailInFaults ="true"/>
x> <serviceMetadata httpsGetEnabled ="true"/>
x> <serviceCredentials>
x> <serviceCertificate storeName ="My"
x> storeLocation="LocalMachine"
x> findValue ="CN=localhost" x509FindType
x> ="FindBySubjectDistinguishedName"/>
x> <userNameAuthentication
x> userNamePasswordValidationMode="Custom"/>
x> </serviceCredentials>
x> </behavior>

x> --------
x> server code


x> using (ServiceHost hostssl = new
x> ServiceHost(typeof(MyService.ClassServiceSSL))) {
x> ServiceCredentials l_ServiceCredentials = hostssl.Credentials;
x> l_ServiceCredentials.UserNameAuthentication.
x> CustomUserNamePasswordValidator
x> = new MyService.MyValidator();
x> hostssl.Open();



x> "Vadym Stetsyak" <vadym_s@ukr.net> wrote in message
x> news:up$2sck4GHA.4832@TK2MSFTNGP06.phx.gbl...

>> Hello, All!


>> I have a service that is based on BasicHttpBinding. It also exposes
>> metadata,
>> so others can see its WSDL.


>> Now I want to apply custom authentication that will be based on
>> HTTP basic athentication.


>> The problem is that my custom validator is not being called, to
>> perform
>> validation ( authentication ), and client gets 403 error.


>> So, I setup my BasicHttpBinding, like so


>> httpBinding.Security.Transport.ClientCredentialType
>> = HttpClientCredentialType.Basic;


>> httpBinding.Security.Mode =
>> BasicHttpSecurityMode.TransportCredentialOnly;


>> Then, I've setup ServiceHost to perform authentication. The code is:


>> //setting the credentials behavior
>> ServiceCredentials sc = new ServiceCredentials();
>> Validator validator = new Validator();


>> sc.UserNameAuthentication.UserNamePasswordValidationMode
>> =
>> System.ServiceModel.Security.UserNamePasswordValidationMode.Custom;


>> sc.UserNameAuthentication.CustomUserNamePasswordValidator = validator;
>> serviceHost.Description.Behaviors.Remove<ServiceCredentials>();
>> serviceHost.Description.Behaviors.Add(sc);


>> Validator code is pretty simple
>> class Validator :
>> System.IdentityModel.Selectors.UserNamePasswordValidator
>> {
>> public override void Validate(string username, string password)
>> {
>> //perform validation here
>> }
>> }


>> I suspect that smth is wrong here, but there is no documentation out
>> there
>> that
>> can assist my problem.


>> --
>> With best regards, Vadym Stetsyak.
>> www: http://vadmyst.blogspot.com



--
Regards, Vadym Stetsyak
www: http://vadmyst.blogspot.com

Hi, All!

It appears that creadentials validation for BasicHttpBinding is done via
Windows account. And there is no way to do it manually.

So, in order to make this type if authentication work
it is necessary to create windows account on the machine where ServiceHost is
operating

--
Regards, Vadym Stetsyak
www: http://vadmyst.blogspot.com