为受SSL保护的WSIT / Metro Web服务和客户端设置身份验证

Question

I'm kind of confused about setting up standard authentication for my SSL protected service. I have tried the HTTP header way , but that's non standard, and WS-I is important for me. It is possible to set up the Authentication Token to be Username on method level. This is the resulted BindingPolicy in the WSIT XML:

<wsp:Policy wsu:Id="DataStoreWSPortBindingPolicy">
    <wsp:ExactlyOne>
        <wsp:All>
            <wsam:Addressing wsp:Optional="false"/>
            <sp:TransportBinding>
                <wsp:Policy>
                    <sp:TransportToken>
                        <wsp:Policy>
                            <sp:HttpsToken RequireClientCertificate="false"/>
                        </wsp:Policy>
                    </sp:TransportToken>
                    <sp:Layout>
                        <wsp:Policy>
                            <sp:Lax/>
                        </wsp:Policy>
                    </sp:Layout>
                    <sp:IncludeTimestamp/>
                    <sp:AlgorithmSuite>
                        <wsp:Policy>
                            <sp:Basic128/>
                        </wsp:Policy>
                    </sp:AlgorithmSuite>
                </wsp:Policy>
            </sp:TransportBinding>
            <sp:Wss10/>
        </wsp:All>
    </wsp:ExactlyOne>
</wsp:Policy>
<wsp:Policy wsu:Id="DataStoreWSPortBinding_hello_Input_Policy">
    <wsp:ExactlyOne>
        <wsp:All>
            <sp:SupportingTokens>
                <wsp:Policy>
                    <sp:UsernameToken sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient">
                        <wsp:Policy>
                            <sp:WssUsernameToken10/>
                        </wsp:Policy>
                    </sp:UsernameToken>
                </wsp:Policy>
            </sp:SupportingTokens>
        </wsp:All>
    </wsp:ExactlyOne>
</wsp:Policy>

SvcUtil warnings:

<!--    WsdlImporter encountered unrecognized policy assertions in ServiceDescription 'http://webServices/':    -->
          <!--    <wsdl:binding name='DataStoreWSPortBinding'>    -->
          <!--        <sp:SupportingTokens xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">..</sp:SupportingTokens>    -->

I want to set credentials in the WCF client via ClientCredentials and then authenticate on the service side via database. What are the steps to achieve that?

Answer 1

If you want to have standard way on transport level why don't you use HTTP Basic authentication? That is the common standardized authentication mechanism for HTTP protocol and it works with web services as well.

The error you got is most probably because of SupportingTokens assertion. Even it is correct assertion WCF doesn't support it. Try to use SignedSupportingTokens or SignedEncryptedSupportingTokens . If you are not able to modify your service to produce such WSDL you can even try to modify the WSDL you got manually.

What you meant by WS-I? There are multiple WS-I standards and some of them don't expect policies at all - just plain SOAP services where headers are described in WSDL directly.