如何配置带有基本身份验证的WCF BasicHttpBinding以在Adobe Flex中使用？

Question

Architecture

I have a simple example web service that exposes two operations by ServiceContract and OperationContract, nothing fancy. This service should be consumed by an Adobe Flex 4 client. Unfortunately Flex can just handle SOAP 1.1 (and not SOAP 1.2), so I have to use the BasicHttpBinding on WCF side. To secure the access to the web service I've to use Basic Authentication, because it's the only authentication method both sides ( WCF and Flex ) understand. Basic Authentication goes along with SSL to encrypt the transport. I run the service in IIS Express with Visual Studio 2012.

WCF service configuration

Web.config

<system.serviceModel>

<services>
  <service name="UserAuthentication.AuthenticationService"
           behaviorConfiguration="AuthenticationServiceBehavior">
    <endpoint address=""
              binding="basicHttpBinding"
              bindingConfiguration="AuthenticationBinding"
              contract="UserAuthentication.IAuthenticationService" />
    <endpoint contract="IMetadataExchange"
              binding="mexHttpBinding"
              address="mex" />
  </service>
</services>

<bindings>
  <basicHttpBinding>
    <binding name="AuthenticationBinding" maxReceivedMessageSize="65536">
        <!-- Use SSL (Transport) and MessageCredential by Username (referencing behaviors/serviceBehaviors/behavior/serviceCredentials) -->
        <security mode="TransportWithMessageCredential">
            <transport clientCredentialType="None" proxyCredentialType="None" />
            <message clientCredentialType="UserName" />
        </security>
      <readerQuotas maxArrayLength="65536" maxBytesPerRead="65536" maxStringContentLength="65536"/>
    </binding>
  </basicHttpBinding>
</bindings>

<behaviors>
  <serviceBehaviors>
    <behavior name="AuthenticationServiceBehavior">
      <serviceDebug includeExceptionDetailInFaults="false" />
      <serviceMetadata httpGetEnabled="false" httpsGetEnabled="true" />

      <!-- Use Custom DistributorValidator for Basic Authentication -->
      <serviceCredentials>
        <userNameAuthentication userNamePasswordValidationMode="Custom" customUserNamePasswordValidatorType="UserAuthentication.DistributorValidator,UserAuthentication"/>
        <!--<serviceCertificate findValue="localhost" storeLocation="LocalMachine" storeName="My" x509FindType="FindBySubjectName" />-->
      </serviceCredentials>

      <!-- For Debug purpose: @see http://intrepiddeveloper.wordpress.com/2008/08/07/security-event-logging-auditing/ -->
      <serviceSecurityAudit auditLogLocation="Application" serviceAuthorizationAuditLevel="Failure" messageAuthenticationAuditLevel="Failure" suppressAuditFailure="true"/>
    </behavior>
  </serviceBehaviors>
</behaviors>

</system.serviceModel>

DistributedValidator.cs

Should be used to authenticate the user by username and password from Basic Authentication.

using System;
using System.Collections.Generic;
using System.Linq;
using System.Web;
using System.ServiceModel;
using System.IdentityModel.Selectors;
using System.IdentityModel.Tokens;

namespace UserAuthentication
{
    public class DistributorValidator : UserNamePasswordValidator
    {
        /* Throw exeption to deny access for user */
        public override void Validate(string userName, string password)
        {
            if (string.IsNullOrEmpty(userName) || string.IsNullOrEmpty(password))
                throw new SecurityTokenException("Username and password required");

            if( userName.Equals("user") == false || password.Equals("secretpwd") == false)
                throw new FaultException(string.Format("Wrong username ({0}) or password ", userName));
        }

    }
}

Start service with SSL in IIS Express

1. Select project in Solution Explorer press F4 to open the properties panel
2. Set property SSL enabled to True
3. To run project press F11 (HTTP version of the page should open in your browser)
4. Right click on the IIS Express icon in your task bar tray and select the HTTPS version of your page
5. You can now open the WSDL file of the service via HTTPS

Consuming web service with Flex

Connect to web service as described in the Adobe documentation . This works fine so far and the service has been created in the Data/Services panel of the Flash Builder.

Problem

Test the web service through the Test Operation panel in the Flash Builder, the result is the HTML source code from https://localhost:44301/AuthenticationService.svc and not an expected SOAP message.

Trying the same web service and operation with the free version of SoapUI , the result is this SOAP envelope:

<s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/">
   <s:Body>
      <s:Fault>
         <faultcode xmlns:a="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">a:InvalidSecurity</faultcode>
         <faultstring xml:lang="de-AT">An error occurred when verifying security for the message.</faultstring>
      </s:Fault>
   </s:Body>
</s:Envelope>

In addition a MessageSecurityException is logged to the Windows Event Viewer :

 Message authentication failed.
 Service: https://localhost:44301/AuthenticationService.svc
 Action: http://tempuri.org/IAuthenticationService/GetData
 ClientIdentity: 
 ActivityId: <null>
 MessageSecurityException: Security processor was unable to find a security header in the message. This might be because the message is an unsecured fault or because there is a binding mismatch between the communicating parties.   This can occur if the service is configured for security and the client is not using security.

In both cases (Flex and SoapUI) the custom DistributorValidator is never touched, so the problem is placed deeper in the magic of WCF.

Question

Is there any possibility to run a WCF service with BasicHttpBinding and Basic Authentication that play nicely together with Adobe Flex?

Answer 1

You need to mess with the headers to get basic HTTP auth to work with HTTPService.

It would look something like this when making the call from Flex...

var encoder:Base64Encoder = new Base64Encoder();
encoder.insertNewLines = false; // or else your header may fail...
encoder.encode("user_name:user_pass");
service.headers = {Authorization:"Basic " + encoder.toString()};                                                
service.send();  //where servie is an instance of HTTPService