我一直在尝试正确保护我的WCF WebService几天,但是我现在遇到了障碍。我试图在不使用证书的情况下保护此WebService,因为它将在安全的Intranet内运行。
我希望能够使用用户名/密码保护WebService,而无需更改每种方法来验证用户名和密码,也无需使用证书。这可能吗:
我当前的web.config如下:
<?xml version="1.0"?>
<configuration>
<system.web>
<compilation debug="true" targetFramework="4.0" />
</system.web>
<system.serviceModel>
<services>
<service name="TestWS.Service1" behaviorConfiguration="Default">
<endpoint contract="IMetadataExchange" binding="mexHttpBinding" address="mex" />
<endpoint contract="TestWS.IService1" binding="wsHttpBinding" bindingConfiguration="Binding1" address="" />
</service>
</services>
<bindings>
<wsHttpBinding>
<binding name="Binding1">
<security mode="Message">
<message clientCredentialType="UserName"/>
</security>
</binding>
</wsHttpBinding>
</bindings>
<behaviors>
<serviceBehaviors>
<behavior name="Default">
<!-- To avoid disclosing metadata information, set the value below to false and remove the metadata endpoint above before deployment -->
<serviceMetadata httpGetEnabled="true"/>
<serviceCredentials>
<userNameAuthentication userNamePasswordValidationMode="Custom" customUserNamePasswordValidatorType="TestWS.Validation.VanguardValidator, TestWS" />
</serviceCredentials>
<!-- To receive exception details in faults for debugging purposes, set the value below to true. Set to false before deployment to avoid disclosing exception information -->
<serviceDebug includeExceptionDetailInFaults="false"/>
</behavior>
</serviceBehaviors>
</behaviors>
<serviceHostingEnvironment multipleSiteBindingsEnabled="true" />
</system.serviceModel>
<system.webServer>
<modules runAllManagedModulesForAllRequests="true"/>
</system.webServer>
</configuration>
提前致谢,
帕特里克
答案 0 :(得分:3)
如果您使用的是用户名/密码验证,则可能会在邮件中以纯文本格式发送凭据。因此,您需要使用传输级别(SSL)安全性(https://....),或者您必须在服务器端拥有证书以提供共享密钥的方式,以便客户端和服务器之间的消息可以加密和签名。或者如果你根本不需要任何东西,你可以一起关闭安全性。
有关WCF安全性,Fundamentals of WCF Security或JuvalLöwy关于MSDN docs on Programming WCF Security的优秀MSDN文章的精彩介绍,请参阅Declarative WCF Security