Self-hosted WCF REST service and Basic authentication

Question

I\'ve created a self-hosted WCF REST service (with some extra\'s from WCF REST Starter Kit Preview 2). This is all working fine.

I\'m now trying to add Basic authenticat

Answer 1

Yes you can provide Basic authentication for REST based WCF services. However there are several steps which you must follow to have a complete and secure solution and thus far most responses are fragments of all the pieces needed.

1. Configure your self-hosted service to have a SSL certificate bound to the port which you are hosting your WCF service on. This is very different than applying a SSL cert when using managed hosting through something like IIS. You have to apply the SSL certificate using a command line utility. You DO NOT want to use Basic Authentication on a REST service without using SSL because the credentials in the header on not secure. Here are (2) detailed posts that I wrote on exactly how to do this. Your question is too big to have all the details on a forum post, so that is why I am providing the links with comprehensive details and step by step instructions:

   Applying and Using a SSL Certificate With A Self-Hosted WCF Service

   Creating a WCF RESTful Service And Secure It Using HTTPS Over SSL

2. Configure your service to use Basic authentication. This is a multi-part solution as well. 1st is configuring your service to use Basic authentication. The second is to create a 'customUserNamePasswordValidatorType' and inspect the credentials to authenticate the client. I see the last post eluded to this, however it did not use HTTPS and is only 1 very small part of the solution; be careful of guidance that does not provided an end-to-end solution inclusive of configuration and security. The last step is to look at the security context to provide authorization at the method level if needed. The following post I wrote takes you step-by-step on how to configure, authenticate, and authorize your clients.

   RESTful Services: Authenticating Clients Using Basic Authentication

This is the end-to-end solution needed for using Basic Authentication with self-hosted WCF services.