2
votes

This is a follow on to this question. I am trying to avoid using the x509 certificate method as that makes my client installs more complex. If basicHttpBinding is not the only option, where are some samples of other binding methods.

My clients are on .Net 2.0, I don't have access to System.ServiceModel namespace as that didn't come out until 3.0.

Update: To be clear, clients: .Net 2.0, web service: .net3.5/WCF

2

2 Answers

3
votes

The problem isn't a mismatch between .Net 2.0 services and WCF and the various bindings - they are (with a few notable exceptions that shouldn't be a problem in your case) very compatible protocols.

WSE 3.0 (which runs on the 2.0 .Net framework) is particularly close. You can use this with either basicHttpBinding or with wsHttpBinding and a few tweaks. 'Jimmy' Skowronski's article here and the MSDN article here cover most of the basics.

You can also code a custom binding that will let you side step the few incompatibilities between WSE and WCF (like the mandate for a secure transport when using WCF and basic authentication)

Your problem as I understand it is how to manage the authentication - in you previous question you ruled out Windows authenticaion. Kerberos works in both WCF or WSE but that is even more complicated.

Unless you delve into you own authentication schemes you are (as far as I know) limited to using basic authentication (so each client supplies a user name or password, this could be the same for all clients depending on your needs) or certificate based authentication.

Toran's answer is a good starter for using basic authentication.

I think maybe a good approach would be to look at the requirements from the .Net 2.0 (and WSE*) side of things first - establish an authenticaion mechanism that fits with your client deployments, then work out how to accept that authentication with WCF.

WCF can accept pretty much anything WSE 3.0 can send (with the only exceptions I can think of off the top of my head being the version of the addressing specification, and some slightly tighter security requirement)

1
votes

You could require SSL + Username/Password with basicHttp.

First the below is what your client would use in .NET 2.0 to auth w/ your WCF service.

Dim client As WebServiceClient = New WebServiceClient("basicHttpWebService")
client.ClientCredentials.UserName.UserName = "username"
client.ClientCredentials.UserName.Password = "password"

Next, a sample config for your WCF service to require SSL + Membership provider credentials

       <bindings>
            <basicHttpBinding>
                <binding name="basicHttp">
                    <security mode="TransportWithMessageCredential">
                        <transport/>
                        <message clientCredentialType="UserName"/>
                    </security>
                </binding>
            </basicHttpBinding>
        </bindings>
        <behaviors>
            <serviceBehaviors>
                <behavior name="NorthwindBehavior">
                    <serviceMetadata httpGetEnabled="true"/>
                    <serviceAuthorization principalPermissionMode="UseAspNetRoles"/>
                    <serviceCredentials>
                        <userNameAuthentication userNamePasswordValidationMode="MembershipProvider"/>
                    </serviceCredentials>
                </behavior>
            </serviceBehaviors>
        </behaviors>

The only thing I'm not sure about is that to use the first section in the client app you might need the WCF/WPF extensions CTP installed because I typically right click and "add service reference" instead of the ASMX "add web reference" - if so this extension for VS2005 does require .NET 3.0 to be installed. But with a simple "add web reference" you should still be able enter a username/password ... I just don't know what this vb/c# would look like ...