我想针对自定义成员身份和角色提供程序对WCF服务的用户进行身份验证,但我不想保护证书之间的流量。
是否可以使用basicHttpBinding,在没有证书的情况下传递自定义凭证?
我问,因为我有一个WCF服务,所有会员提供商管道等都连接在via config并托管在IIS下,但用户详细信息没有传递给IIS。
我有一个网络安全的WAN,所以我不担心邮件加密。
ASP.Net兼容性已打开,配置如下。这都是.Net 4.0;
<?xml version="1.0"?>
<configuration>
<system.web>
<compilation debug="true" targetFramework="4.0" />
<membership defaultProvider="DemoMembershipProvider" userIsOnlineTimeWindow="15">
<providers>
<clear />
<add name="DemoMembershipProvider" type="DemoMembershipProvider" connectionStringName="SqlConn" applicationName="TestProvider" enablePasswordRetrieval="false" enablePasswordReset="false" requiresQuestionAndAnswer="false" requiresUniqueEmail="true" passwordFormat="Clear" />
</providers>
</membership>
<roleManager enabled="true" defaultProvider="DemoRoleProvider" >
<providers>
<clear/>
<add name="DemoRoleProvider" connectionStringName="blah" applicationName="TestProvider" type="DemoRoleProvider" />
</providers>
</roleManager>
<customErrors mode="Off" />
</system.web>
<system.serviceModel>
<services>
<service name="DataService">
<endpoint address="" binding="basicHttpBinding" bindingConfiguration="BindingConfiguration" contract="IDataService" />
<endpoint address="mex" binding="mexHttpBinding" contract="IMetadataExchange" />
</service>
</services>
<bindings>
<basicHttpBinding>
<binding name="BindingConfiguration">
<security mode="None">
<message clientCredentialType="UserName"/>
</security>
</binding>
</basicHttpBinding>
</bindings>
<behaviors>
<serviceBehaviors>
<behavior>
<serviceMetadata httpGetEnabled="true" />
<serviceDebug includeExceptionDetailInFaults="true" />
<serviceCredentials>
<userNameAuthentication userNamePasswordValidationMode="MembershipProvider" membershipProviderName="DemoMembershipProvider" />
</serviceCredentials>
<serviceAuthorization principalPermissionMode="UseAspNetRoles" roleProviderName="DemoRoleProvider" />
</behavior>
</serviceBehaviors>
</behaviors>
<serviceHostingEnvironment multipleSiteBindingsEnabled="true" aspNetCompatibilityEnabled="true" />
</system.serviceModel>
<system.webServer>
<modules runAllManagedModulesForAllRequests="true"/>
</system.webServer>
</configuration>
客户端代码是;
Console.WriteLine("Calling with valid credentials");
using (var y = new DataServiceRef.DataServiceClient())
{
y.ClientCredentials.UserName.UserName = "ryan";
y.ClientCredentials.UserName.Password = "password";
Console.WriteLine("Result: {0}", y.GetData("blah"));
}
答案 0 :(得分:5)
您必须使用自定义绑定,因为默认绑定不支持在没有安全通道的情况下发送用户名和密码(传输或消息安全性都需要证书)。使用此自定义绑定:
<customBinding>
<binding name="UsernamePasswordOverHttp">
<textMessageEncoding messageVersion="Soap11" />
<security
authenticationMode="UserNameOverTransport"
messageSecurityVersion="WSSecurity10WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10"
allowInsecureTransport="true" />
<httpTransport />
</binding>
</customBinding>
另一种解决方案是使用ClearUserNameBinding。