Security in WCF without using SSL

2
votes

I have developed a MVC web application using WCF services .

For eg I have a service url as http://localhost/abcservice/method1. I am using basichttpbinding service.

In my controller I am adding the service reference and calling it:

serviceclient a = new serviceclient();
a.method1();

I am calling this service without using any authentication.

Out of curiosity, I have this question:

Is it possible to secure the WCF services hosted in IIS without buying SSL certificates ?

Is it possible to implement the authentication functionality by sending the username and password from the client and authenticating it?

If yes ,how? Any help would be greatly appreciated as most of the links will redirect using certificates for security.

2
.netasp.net-mvc-3wcfiiswcf-security
SSL doesn't provide "security", it provides a secure medium of communication. So it is NOT securing who can call what function, rather whether the information sent is unreadable by a third-partyNoam Rathaus
Then how do we achieve the authentication in WCF,for restricting the anonymous users?user2630764
Read? msdn.microsoft.com/en-us/library/ff405740.aspxNoam Rathaus
Yes ...See in a typical web application,we wont use windows credentials, there will be a login page where we enter the username and password...so I want the wcf to restrict the wrong id/wrong password trying to access the services.Any help on that?user2630764
Did you any sort of searching, I can find multiple articles stackoverflow.com/questions/1087271/… forums.asp.net/t/1789212.aspx dotnetspeak.com/2012/01/securing-wcf-with-forms-authenticationNoam Rathaus

2 Answers

2
votes

Since WCF is stateless you are going to need a reasonably sophisticated (read non-trivial) solution. Without providing code here is what I do:

  1. Have a DB table which contains the list of current valid connections. You want to store user name, valid from/to date/time and a GUID token.

  2. Provide an authentication WCF call that somehow authenticates the user. The somehow is probably what you are most interested in. You can authenticate against a list of valid users (again from a DB table) or against LDAP AD records. Or you could validate against Microsoft Passport/ Google Account, even Facebook. This is something you really need to consider, WHAT are you going to authenticate against. Once you decide that, then you can code for it. The simplest is to authenticate against a DB table - but its not very portable and requires maintenance of that table etc.

  3. If the user was authenticated in step 2, create or update a valid connection record for the user assigning them a new GUID token and set valid from and to date/times (i.e. provide a lifetime for the token). Return the new token in step 2.

  4. All subsequent WCF calls require the token to be passed in (along with the user name also if required). You check that the token is valid and if so, process the WCF call. If not, then ignore the call or do something meaningful.

As stated in other answers this has nothing to do with SSL. User authentication is major programming topic.