So, I've been Googling and Tafiting around for a long time now I've also posted many questions in the WCF form so this is pretty much my last hope... at least for now so if you understand WCF please, please write me back... at least just say "dude! I have
no idea what you're talking about" 
The thing is I need to implement Message security in WCF, UserName credentials in netTcpBinding with AspNetMemebershipProvider and I can't get it to work.
1- Is that possible?
2- Do I need to add a certificate in my services? (do I have to?)
3- Can somebody please point me out in the right direction? 
TIA
Regards,
Seba
-
sgomez
Yada yada yada!
-
It is possible (1). You will need a certificate for your service to authenticate the service with your client (2).
Here are a couple good books on WCF. Both have sections on how to secure WCF services using the ASP.NET providers (3).
- http://www.oreilly.com/catalog/9780596101626/ - Learning WCF
- http://www.oreilly.com/catalog/9780596526993/ - Programming WCF Services
-
Actually you don't need a certificate.
You can create your own channel using shared secret.
There are numerous articles about how to do this in WSE, and the same basic logic applies to WCF. (I don't have a sample for you).
Basically MS took out the shared secret system that was built into WSE 1.0 for security reasons (which are all valid unless you're careful) and didn't replace it with a different, better solution.
What you want to do is have a shared secret between the server and the client. Do not pass the password, only the user name. I would suggest that the user name be unique for each client and the password would be some sort of unique hashing algorythem based on that user name. The password should be LONG to ensure that it can't be hacked easily.
Then you encrypt the custom channel using whatever encryption system you wish, and you're set. (there is a one way implimentation of this on CodeProject somewhere)
MS: Please put this back, but make it secure, because requiring certificates on both sides (x509) is rediculous! -
I didn't see a clear cut way to implement a "shared secret" strategy in WCF.
Someone on my team is investigating creating a custom SOAP message (WCF Message Contract) with username credentials, but I would be interested in seeing an actual demo implementation of a custom WCF channel that does this. -
sgomez
Yada yada yada!
See what I'm saying?! There's no right answers to this kind of questions
On the other hand I'm glad to see I'm not the only one thinking using a certificate sucks!
I'd like to read ore comments... keep'em coming!
Seba
Thread Closed
This thread is kinda stale and has been closed but if you'd like to continue the conversation, please create a new thread in our Forums,
or Contact Us and let us know.