WCF Security
There are two types of security in WCF. One is the security of Data and second is the security of medium through which message travel.
When we talk about the security of data then it is achieved by message security and if we talk about the security of medium through which message travel which is protocol security can be achieved by transport level security.
In this article I defined how to achieve message level security. There of different type of client credential and using this client credential we achieve message security. I am using wsHttpBinding to achieve message level security
Type of client Credential in message security
- None
- Windows
- Username
- Certificate
- Issued token
In this example I am using client credential username.
Following are code to implement the message security using client credential username
Create a class and inherit usernamepasswordvalidator class in it. This class will be found on System.IdentityModel.Selectors and override the method validate and verify the username and password.
using System;
using System.Collections.Generic;
using System.Linq;
using System.Web;
using System.IdentityModel.Selectors;
using System.ServiceModel;
public class Credentioal:UserNamePasswordValidator
{
public override void Validate(string userName, string password)
{
//you can also check from database
if (userName == "isha" && password == "isha123")
{ }
else
{
throw new FaultException("Wrong userid and pwd");
}
}
}
Go to your web.config file customize the binding and add message security and client credential username.
<bindings>
<wsHttpBinding>
<binding name="sec">
<security mode="Message">
<message clientCredentialType="UserName"></message>
</security>
</binding>
</wsHttpBinding>
</bindings>
Now create service tag and add this binding using bindingconfiguration tag which is as follows:-
<services>
<service name="Service">
<endpoint address="" binding="wsHttpBinding" contract="IService" bindingConfiguration="sec" >
</endpoint>
</service>
</services>
To implement message level security we need security certificate. So go to your start button and type inetmgr and choose server certificate
Figure 1
Now create the server certificate from the left panel and choose create self-signed certificate and give it proper name as I give certificate name isha
Now you can see your certificate here in the list
Now go to your web config file again and add this certificate and credential class in it
<behaviors>
<serviceBehaviors>
<behavior>
<serviceCredentials>
<serviceCertificate findValue="isha"
storeLocation="LocalMachine"
storeName="My"
x509FindType="FindByIssuerName"/>
<userNameAuthentication userNamePasswordValidationMode="Custom" customUserNamePasswordValidatorType="Credentioal, App_Code"/>
</serviceCredentials>
<!-- To avoid disclosing metadata information, set the value below to false before deployment -->
<serviceMetadata httpGetEnabled="true"/>
<!-- To receive exception details in faults for debugging purposes, set the value below to true. Set to false before deployment to avoid disclosing exception information -->
<serviceDebug includeExceptionDetailInFaults="false"/>
</behavior>
</serviceBehaviors>
</behaviors>
Now execute your service
Now create your client application and add this reference and use the following credential:-
using System;
using System.Collections.Generic;
using System.Linq;
using System.Web;
using System.Web.UI;
using System.Web.UI.WebControls;
public partial class _Default : System.Web.UI.Page
{
protected void Page_Load(object sender, EventArgs e)
{
ServiceReference1.ServiceClient sv = new ServiceReference1.ServiceClient();
sv.ClientCredentials.UserName.UserName = "isha";
sv.ClientCredentials.UserName.Password = "isha123";
Response.Write(sv.GetData(5));
}
}
If you do not pass the credential or pass wrong credential it will simply give you error.