WCF 身份验证:自定义用户名和密码验证器 asp.net
是否需要创建服务证书才能使用自定义用户名和密码身份验证?我想使用自定义用户名和密码对我的 WCF 服务进行身份验证.
is it necessary to create a service certificate to use custom username and password authentication? I want to authenticate my WCF service with custom username and password.
我的服务web.config如下:
My Service web.config is as follows:
<system.serviceModel>
<bindings>
<wsHttpBinding>`enter code here`
<binding name="NewBinding0">
<security mode="Message">
<transport clientCredentialType="Basic" />
<message clientCredentialType="UserName" />
</security>
</binding>
</wsHttpBinding>
</bindings>
<services>
<service behaviorConfiguration="WcfTest.Service1Behavior" name="WcfTest.TestService">
<endpoint address="" binding="wsHttpBinding" contract="WcfTest.ITestService" />
<endpoint address="mex" binding="mexHttpBinding" contract="IMetadataExchange" />
</service>
</services>
<behaviors>
<endpointBehaviors>
<behavior name="NewBehavior" />
</endpointBehaviors>
<serviceBehaviors>
<behavior name="WcfTest.Service1Behavior">
<serviceMetadata httpGetEnabled="false" />
<serviceDebug includeExceptionDetailInFaults="false" />
<serviceCredentials>
<!-- Use our own custom validation -->
<userNameAuthentication userNamePasswordValidationMode="Custom"
customUserNamePasswordValidatorType="MyValidator,WcfTest"/>
</serviceCredentials>
</behavior>
</serviceBehaviors>
</behaviors>
</system.serviceModel>
和客户端 Web.config 是:
and Client Web.config is:
<system.serviceModel>
<bindings>
<wsHttpBinding>
<binding name="WSHttpBinding_ITestService" closeTimeout="00:01:00"
openTimeout="00:01:00" receiveTimeout="00:10:00"
sendTimeout="00:01:00" bypassProxyOnLocal="false"
transactionFlow="false" hostNameComparisonMode="StrongWildcard"
maxBufferPoolSize="524288" maxReceivedMessageSize="65536"
messageEncoding="Text" textEncoding="utf-8"
useDefaultWebProxy="true" allowCookies="false">
<readerQuotas maxDepth="32" maxStringContentLength="8192"
maxArrayLength="16384" maxBytesPerRead="4096"
maxNameTableCharCount="16384" />
<reliableSession ordered="true" inactivityTimeout="00:10:00"
enabled="false" />
<security mode="Message">
<transport clientCredentialType="Windows" proxyCredentialType="None"
realm="" />
<message clientCredentialType="UserName"
negotiateServiceCredential="true"
algorithmSuite="Default"
establishSecurityContext="true" />
</security>
</binding>
</wsHttpBinding>
</bindings>
<client>
<endpoint address="http://localhost:2374/Service1.svc" binding="wsHttpBinding"
bindingConfiguration="WSHttpBinding_ITestService"
contract="ServiceReference1.ITestService"
name="WSHttpBinding_ITestService">
<identity>
<userPrincipalName value="NYSA31\abc" />
</identity>
</endpoint>
</client>
</system.serviceModel>
但是我在访问服务时遇到以下错误.
But i am getting following error accessing the service.
WsHttpBinding 需要服务证书.WCF 4(以及带有特殊 KB 的旧版本)允许公开使用用户名和密码进行身份验证的服务而无需证书,但您真的想要它吗?这意味着用户名和密码将以纯文本形式通过网络传输 = 没有安全性,因为任何捕获数据包的人都可以使用被盗凭据进行身份验证.
WsHttpBinding demands service certificate. WCF 4 (and older versions with special KB) allows exposing service authenticated with UserName and password without certificate but do you really want it? It means that user name and password will go in the plain text over the wire = no security because anybody who will capture the packet will be able to authenticate with stolen credentials.
要使用没有证书的用户名密码,您需要 自定义绑定 或者您可以使用 ClearUserNameBinding.
To use user name password without certificate you need custom binding or you can use ClearUserNameBinding.