在WCF中使用Windows身份验证类型时,是否以纯文本格式发送用户名和密码?
[英]Are username and password sent in plain text when using windows authentication type in WCF?
问题描述
If I have the following binding: 
如果我有以下绑定:
<bindings>
<wsHttpBinding>
<binding name="Binding">
<security mode="Transport">
<message clientCredentialType="Windows"/>
</security>
</binding>
</wsHttpBinding>
</bindings>
Will the username and password be send on plain text over the wire? 用户名和密码是否可以通过网络以纯文本形式发送?
Edit 编辑
I know that by default wcf encrypts the connection. 我知道默认情况下wcf会加密连接。 The reason why I asked the question is because of: 我问这个问题的原因是因为:
I got that from http://msdn.microsoft.com/en-us/library/aa354513.aspx 我从http://msdn.microsoft.com/en-us/library/aa354513.aspx那里得到了
So my question is I know that the connection is encrypted by default. 所以我的问题是我知道默认情况下连接是加密的。 But do I need a ssl certificate in order to prevent users from seeing the username and password. 但是,我是否需要ssl证书才能防止用户看到用户名和密码。 I know that once I am authenticated messages will be encrypted. 我知道,一旦我通过身份验证,邮件就会被加密。 But is the password and username encrypted too? 但是密码和用户名也加密了吗?
3 个解决方案
解决方案1
6 已采纳 2012-11-30 05:06:45
Other answers here are misleading and incorrect, although they may reassure you by mentioning transport security. 这里的其他答案具有误导性和不正确性,尽管他们可能会通过提及运输安全性向您保证。 The correct answer is that Windows Authentication does not send passwords in plain text. 正确的答案是Windows身份验证不会以纯文本格式发送密码。
Windows authentication works when the client guarantees to the server that the user is who they say they are. 当客户端向服务器保证用户是他们所声称的用户时,Windows身份验证就有效。 No password is transmitted over the wire. 没有密码通过电线传输。
If you were to use Basic Authentication then the password would be transmitted over the wire; 如果您使用基本身份验证,则密码将通过网络传输; if using any https transport then the connection is encrypted but within that connection the content of the message is not encrypted. 如果使用任何https传输,则连接已加密,但在该连接中,邮件内容未加密。
See How secure is WCF wsHttpBinding's Windows authentication? 请参阅WCF wsHttpBinding的Windows身份验证的安全性如何? a similar question. 一个类似的问题。
See MSDN Message and Transport Security for more about WCF transport security. 有关WCF传输安全性的更多信息,请参阅MSDN消息和传输安全性。
解决方案2
2 2012-11-30 04:46:10
Data sent over the wire, contained in the message is in plain text; 通过电汇发送的数据包含在邮件中,是纯文本格式; however, given that Transport security mode is being used, the client-server communication is being secured via ssl over http (and TLS in the case of TCP). 但是,鉴于正在使用传输安全模式,客户端 - 服务器通信通过http(以及TCP的情况下为TLS)通过ssl进行保护。
More can be read here about how Transport secures communication. 关于运输如何保护通信,可以在此处阅读更多内容。
But because neither of the communicating parties are required to understand xml-level security concepts, the actual xml of a message is sent in plain text. 但是因为两个通信方都不需要理解xml级安全性概念,所以消息的实际xml是以纯文本形式发送的。
EDIT : Kirk Broadhurst is correct - in the case of Windows Authentication, username and password are not attached to/present on the message, but any data present is not encrypted. 编辑 :Kirk Broadhurst是正确的 - 在Windows身份验证的情况下,用户名和密码没有附加到/出现在邮件上,但是任何存在的数据都没有加密。
解决方案3
0 2012-11-30 04:32:11
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.