简体繁体 English

WCF中的自定义身份验证，不带证书，https，ssl和iis

[英]Custom authentication in wcf without certificate, https, ssl and iis

原文 2012-01-13 03:16:19 4 2 wcf/ security/ iis/ authentication/ https

First of all sorry for my English, its not my native language. 首先，抱歉我的英语，不是我的母语。 I will try to describe my problem as much as I can. 我将尽我所能描述我的问题。

I searched for a long time on the Internet for a solution where I can create a wcf service that can respond to requests of my clients with username and password required but without creating a certificate, using https or anything else that require a special configuration on the machine where my windows service will be installed. 我在Internet上搜索了很长时间，寻找一种解决方案，在该解决方案中，我可以使用https或其他任何需要特殊配置的服务来创建wcf服务，该服务可以使用所需的用户名和密码来响应客户的请求，而无需创建证书。安装Windows服务的计算机。

Here is my point: I want to deploy an application to a lot of my customers. 这是我的观点：我想将应用程序部署到很多客户。 This application will have mobile devices and a server which will give some information to mobile device with the help of wcf. 该应用程序将具有移动设备和服务器，该服务器将在wcf的帮助下向移动设备提供一些信息。 Each customer will have a server and many devices. 每个客户将拥有一台服务器和许多设备。 I don't want that anyone on the web can have access to these information and for this reason, I must implement an authentication procedure with username and password for each request but I don't want to be forced to install a certificate, activate some https port on each machine when I sell a new copy of my application. 我不希望网络上的任何人都可以访问这些信息，因此，我必须为每个请求实施带有用户名和密码的身份验证过程，但是我不想被迫安装证书，激活某些证书。当我出售应用程序的新副本时，每台机器上的https端口。

I've read that with wcf 4.0, there is a built-in system that can encrypt data and for this reason, I don't want the overhead of implementing anything else if possible. 我读过wcf 4.0，有一个内置的系统可以加密数据，因此，我不希望在可能的情况下实现任何其他操作。

My question is: Is that possible to have a secure solution considering my requirements and if yes, how can I do that? 我的问题是：考虑我的要求，是否可能有一个安全的解决方案？如果是，我该怎么做？

If I really must create a certificate and use IIS, https or any other secure solution, it is possible to automate these things in a package that will be installed in a single click wizard into each server machine of my customers? 如果我真的必须创建一个证书并使用IIS，https或任何其他安全解决方案，是否可以将这些东西自动打包到一个软件包中，该软件包将通过单击向导安装到客户的每台服务器中？

Thank you in advance for your time. 预先感谢您的宝贵时间。

2 个解决方案

By default WCF doesnt allow transport of username credentials over http and hence have to use certificates to secure your transport layer. 默认情况下，WCF不允许通过http传输用户名凭据，因此必须使用证书来保护您的传输层。 But if you are sure that you are fine with sending username credentials over the http channel then you can have a look at ClearUsernameBinding which gives you the flexibility of sending username credentials over http channel (consider the fact that someone can intercept your transport channel to get access to the credentials) 但是，如果您确定可以通过http通道发送用户名凭据就可以了，那么可以看看ClearUsernameBinding ，它使您可以灵活地通过http通道发送用户名凭据（考虑到有人可以拦截您的传输通道以获取访问凭据）

Also if you want to use certificates that have to be installed you can achieve that writing some code in c# and include that as part of your installation from your package. 另外，如果您要使用必须安装的证书，则可以使用c＃编写一些代码，并将其作为软件包安装的一部分来实现。 You can also configure everything from an msi like creating a virtual directory, deploying the application,etc.. 您还可以配置来自msi的所有内容，例如创建虚拟目录，部署应用程序等。

what you are probably looking for is one of the wcf bindings that has message level security. 您可能正在寻找的是具有消息级安全性的wcf绑定之一。 You can put the user name and password into this message and not worry about them going across an http wire unencrypted(ie custom authentication). 您可以在此消息中输入用户名和密码，而不必担心它们会未经加密（即自定义身份验证）跨过http导线。 The defaults for WCF send user name and password as part of the http request in the header this is why it wants https. WCF的默认值将用户名和密码作为标头中http请求的一部分发送，这就是为什么要使用https。