stackoom
  简体   繁体   中英

Security/authorization on consuming WCF service

 原文  2014-09-07 19:57:36       .net/ wcf/ rest/ authorization/ credentials

Question

I'm somewhat new to WCF. I've created a service and it works. The service receives some requested keys in an XML string, and returns an XML result set.

Here is my general question, and then I'll give some specifics. If someone creates a RESTful service in WCF using wsHttpBinding , does anyone consuming the service from the outside need to provide username/PW credentials?

OK, the details. On the server side, here's the core config: 

<services>
    <service behaviorConfiguration="MyService1Behavior"  name="MyRestService">
        <endpoint 
            address="http://(address)/myweb/myrestservice.svc"  
            binding="wsHttpBinding"  
            contract="IMyRestService">
          <identity> <dns value="numeric address" />  </identity> 
        </endpoint>
        <endpoint address="mex" binding="mexHttpBinding" contract="IMetadataExchange" />
    </service>
</services>

and the service application interface: 

[ServiceContract]
public interface IMyRestService
{
    [OperationContract]
    [WebInvoke(Method = "GET",
     ResponseFormat = WebMessageFormat.Xml,
     BodyStyle = WebMessageBodyStyle.Wrapped,
     UriTemplate = "OrderLookup/{LookupData}")]
    string OrderLookup(string LookupData);
}

Like I said this all works when I consume it from a system completely outside the domain.

But I have to provide credentials, like the following: 

MyClientService.ClientCredentials.Windows.ClientCredential.Domain = "remoteserver";
MyClientService.ClientCredentials.Windows.ClientCredential.UserName = "UserID";
MyClientService.ClientCredentials.Windows.ClientCredential.Password = "Password";

I'm a bit concerned that someone trying to consume the service with a non-.NET client won't want to have to provide credentials. So - if I've created a RESTful service using WCF and hosting it on IIS....will someone accessing the service externally need to provide credentials, or is there a way I can safely come up with a different solution?

Again, I realize I've got gaps in my knowledge - just looking to fill them.

Thanks in advance for any suggestions....

1 answers

solution1
 0  2014-09-08 07:59:56

As Marc states in his comment, arguably what you have implemented is not really a RESTful service but rather a kind of POX service over SOAP 1.2.

However, because you're using wsHttpBinding you can be confident that any traffic between the service and a consumer will be restricted by the standard security settings for this binding stack, which in turn implement the WS-Security soap extension.

This actually means that not only will non-.net consumers be secured, they'll probably also struggle to consume this endpoint as the default setup for wsHttpBinding is not very open for interoperability (for example, by default it uses windows authentication, as you have found above).

If you need to support non .net clients then use basicHttpBinding which uses SOAP 1.1. You can still secure these endpoints by using SSL and username/password or certificates if that is your requirement.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Consuming WCF Web Service Error in Consuming WCF service WCF Service authorization patterns Error consuming WCF Service in Android Consuming WCF service using jQuery C# .NET 4.0 WCF MessageSecurityException, “Security header is empty.” when consuming a service WCF Client consuming WS-Security webservice Making authorization in Wcf Data service Problem consuming WCF web service with php / nuSoap Consuming a WCF service within a VS 2010 extension
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM