关于WCF为第三方集成商提供服务的问题

Question

There are some companies that are interested in integrating our software with their software. We are starting to look into providing a web service for them to consume over the internet. We will be building the web service using WCF. We can't guarantee that every integrator will be using WCF or .NET, so interoperability is important.

We would like to authenticate each 3rd party integrator when they call our service operations with a username and password. Alternatively, I have read that client authentication can be achieved using certificates, but that seems complicated.

We plan to host the service in IIS.

The options available in WCF is overwhelming. Based on the above, what configuration (bindings/security) would be recommended?

Is it possible to use IIS for hosting, basicHttpBinding, membership provider for authentication, and SSL for encryption? Will these things work well in concert?

Answer 1

Definitely go with BasicHttpBinding and HTTPS. BasiHttpBinding provides the simplest SOAP interoperable services and HTTPS will ensure that transmission between client and your service will be secure.

To authenticate users you can use TransportWithMessageCredential security mode of BasicHttpBinding . This security configuration expects standardized SOAP header (UserName Token Profile) in the message. The header (in case of WCF) contains user name and password in the plain text. Plain text is not a problem in this case because whole transport is secured by SSL (HTTPS). Even if your clients are not WCF and doesn't have any special SOAP stack adding this header should be quite easy. Also using this authentication type directly allows you validating user name with membership provider or writing custom password validator.