5

I have been searhcing for this for a couple of days now.

I am just trying to have a Username / Password being passed into my RESTful service using Basic HTTP Authentications. Everything else works awesomly!

Here is what my web.config looks like:

<?xml version="1.0"?>
<configuration>

  <system.web>
    <compilation debug="true" targetFramework="4.0" />
  </system.web>

  <system.webServer>
    <modules runAllManagedModulesForAllRequests="true">
      <add name="UrlRoutingModule" type="System.Web.Routing.UrlRoutingModule, System.Web, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" />
    </modules>
  </system.webServer>

  <system.serviceModel>

    <bindings>
      <wsHttpBinding>
        <binding name="">
          <security mode="Message">
            <message clientCredentialType="UserName" />
          </security>
        </binding>
      </wsHttpBinding>
    </bindings>

    <serviceHostingEnvironment aspNetCompatibilityEnabled="true"/>

    <standardEndpoints>
      <webHttpEndpoint>
        <!-- 
            Configure the WCF REST service base address via the global.asax.cs file and the default endpoint 
            via the attributes on the <standardEndpoint> element below
        -->
        <standardEndpoint name="" helpEnabled="true" defaultOutgoingResponseFormat="Json" automaticFormatSelectionEnabled="true"/>
      </webHttpEndpoint>
    </standardEndpoints>

    <behaviors>
      <serviceBehaviors>
        <behavior>
          <serviceCredentials>
            <userNameAuthentication userNamePasswordValidationMode="Custom" customUserNamePasswordValidatorType="ParkingPandaREST.CustomUserNameValidator, ParkingPandaREST" />
          </serviceCredentials>      
        </behavior>
      </serviceBehaviors>
    </behaviors>


  </system.serviceModel>

</configuration>

Then I created a CustomUserNameValidator class that has the following:

using System;
using System.Collections.Generic;
using System.Linq;
using System.Web;

namespace ParkingPandaREST
{
    public class CustomUserNameValidator : System.IdentityModel.Selectors.UserNamePasswordValidator
    {
        // This method validates users. It allows in two users, test1 and test2 
        // with passwords 1tset and 2tset respectively.
        // This code is for illustration purposes only and 
        // must not be used in a production environment because it is not secure.    
        public override void Validate(string userName, string password)
        {
            if (null == userName || null == password)
            {
                throw new ArgumentNullException();
            }

            if (!(userName == "test1" && password == "1tset") && !(userName == "test2" && password == "2tset"))
            {
                // This throws an informative fault to the client.
                throw new System.ServiceModel.FaultException("Unknown Username or Incorrect Password");
                // When you do not want to throw an infomative fault to the client,
                // throw the following exception.
                // throw new SecurityTokenException("Unknown Username or Incorrect Password");
            }
        }
    }
}

I am simply running the service on my local machine and trying to hit a break point in the CustomUserNameValidator class but it never gets there. So I am not using SSL right now, simply just trying to get the username / Password being passed in.

Improve this question

3 Answers 3

Reset to default
4

Here is the answer I came up with. It may need to be tweaked a bit, but it is the core that you need to get the job done.

Note: Turn off basic authentication in IIS

           // Get the Header Authorization Value
            string headerValue = operationContext.IncomingRequest.Headers[HttpRequestHeader.Authorization];
            headerValue = headerValue.Replace("Basic ", "");
            headerValue = DecodeBase64String(headerValue);

            // Get Username and Password
            string userName = headerValue.Substring(0, headerValue.IndexOf(":"));
            string password = headerValue.Substring(headerValue.IndexOf(":") + 1, headerValue.Length - userName.Length - 1);

            // Do Custom Authorization here with the userName and password

.......

Also here is the DecodeBase64String function

    public static string DecodeBase64String(string encodedData)
    {
        byte[] encodedDataAsBytes = System.Convert.FromBase64String(encodedData);
        string returnValue = System.Text.ASCIIEncoding.ASCII.GetString(encodedDataAsBytes);
        return returnValue;
    }

Hope that help some other people who were having the same problem - cheers!

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

I'd recommend using Encoding.UTF8.GetString(encodedData) though
1

The default binding for the HTTP transport in WCF 4 is basicHttpBinding. If you convert your wsHttpBinding element to a basicHttpBinding element and configure it for custom validation then your code should execute.

Improve this answer

6 Comments

I just tried to change <wsHttpBinding> to <basicHttpBinding> and still could not get it to hit the the break point. Am I missing anything else?
It could be that your client config and the service config are not in sync. Also, you need to configure IIS to allow HTTP basic authentication. IIS configuration will vary by version but here is the IIS 7 config: technet.microsoft.com/en-us/library/cc772009(WS.10).aspx
So will this not work on my local developer machine using VS2010 - Just hitting F5 and having it in debug mode?
I haven't tried to do this using the built-in Visual Studio development web server. If the service project is a WCF service application then you should be able to go into the project properties tabs and in the Web tab there is an option to use the local IIS server. VS will automatically create a website for the service. Once it is set up, configure your local IIS for basic HTTP authentication. F5 will then work in this mode as usual. At least thats what I've done it the past :)
And you were able to use Custom HTTP Basic Authentication? Didn't have this issue: samuelotter.com/blog/2010/07/…
|
0

Basic authentication is an HTTP protocol. Thus it's transport security, not message security. Your config should contain this snippet:

<security mode="Transport">
    <transport clientCredentialType="Basic" />
</security>

But even if you get this right, your custom code probably won't be called. You'll find more details about this problem in this blog.

Improve this answer

3 Comments

For handling basic authentication for my services I use: altairiswebsecurity.codeplex.com I host my services as a MVC controller instead of WCF.
So with a brand new release of WCF you can't do Basic HTTP Authentication properly...wow that is terrible!
@Codo Cant follow your link the the blog :( im having the same problem with my custom validator not executing

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.