WCF身份验证：自定义用户名和密码验证程序asp.net

Question

是否有必要创建服务证书以使用自定义用户名和密码身份验证？我想使用自定义用户名和密码验证我的WCF服务。

我的服务web.config如下：

<system.serviceModel>
    <bindings>
        <wsHttpBinding>`enter code here`
            <binding name="NewBinding0">
                <security mode="Message">
                    <transport clientCredentialType="Basic" />
                    <message clientCredentialType="UserName" />
                </security>
            </binding>
        </wsHttpBinding>
    </bindings>
    <services>
        <service behaviorConfiguration="WcfTest.Service1Behavior" name="WcfTest.TestService">
            <endpoint address="" binding="wsHttpBinding" contract="WcfTest.ITestService" />
            <endpoint address="mex" binding="mexHttpBinding" contract="IMetadataExchange" />
        </service>
    </services>
    <behaviors>
        <endpointBehaviors>
            <behavior name="NewBehavior" />
        </endpointBehaviors>
        <serviceBehaviors>
            <behavior name="WcfTest.Service1Behavior">
                <serviceMetadata httpGetEnabled="false" />
                <serviceDebug includeExceptionDetailInFaults="false" />
                <serviceCredentials>   
                    <!-- Use our own custom validation -->
                    <userNameAuthentication userNamePasswordValidationMode="Custom"
                     customUserNamePasswordValidatorType="MyValidator,WcfTest"/>
                </serviceCredentials>
            </behavior>
        </serviceBehaviors>
    </behaviors>
</system.serviceModel>

和Client Web.config是：

<system.serviceModel>
    <bindings>
        <wsHttpBinding>
            <binding name="WSHttpBinding_ITestService" closeTimeout="00:01:00"
                     openTimeout="00:01:00" receiveTimeout="00:10:00" 
                     sendTimeout="00:01:00" bypassProxyOnLocal="false" 
                     transactionFlow="false" hostNameComparisonMode="StrongWildcard"
                     maxBufferPoolSize="524288" maxReceivedMessageSize="65536"
                     messageEncoding="Text" textEncoding="utf-8" 
                     useDefaultWebProxy="true" allowCookies="false">
                <readerQuotas maxDepth="32" maxStringContentLength="8192" 
                              maxArrayLength="16384" maxBytesPerRead="4096" 
                              maxNameTableCharCount="16384" />
                <reliableSession ordered="true" inactivityTimeout="00:10:00"
                                 enabled="false" />
                <security mode="Message">
                    <transport clientCredentialType="Windows" proxyCredentialType="None"
                               realm="" />
                    <message clientCredentialType="UserName" 
                             negotiateServiceCredential="true"
                             algorithmSuite="Default" 
                             establishSecurityContext="true" />
                </security>
            </binding>
        </wsHttpBinding>
    </bindings>
    <client>
        <endpoint address="http://localhost:2374/Service1.svc" binding="wsHttpBinding"
                  bindingConfiguration="WSHttpBinding_ITestService" 
                  contract="ServiceReference1.ITestService"
                  name="WSHttpBinding_ITestService">
            <identity>
                <userPrincipalName value="NYSA31\abc" />
            </identity>
        </endpoint>
    </client>
</system.serviceModel>

但是我在访问服务时遇到以下错误。

Answer 1

WsHttpBinding需要服务证书。 WCF 4（以及具有特殊KB的旧版本）允许在没有证书的情况下公开使用UserName和密码进行身份验证的服务，但您真的想要它吗？这意味着用户名和密码将以明文形式通过wire = no security，因为任何将捕获数据包的人都可以使用被盗凭证进行身份验证。

要使用没有证书的用户名密码，您需要custom binding，或者您可以使用ClearUserNameBinding。