Basic Authentication with WCF REST service to something other than windows accounts?

Question

Is there a clean way to expose a WCF REST service that requires basic authentication, but where we handle the actual validation of the username/password ourselves? It seems

Answer 1

The WCF REST Contrib library enables this functionality:

http://github.com/mikeobrien/WcfRestContrib

It also allows you to secure individual operations.

Answer 2

is the username and password set on the client like:

cc.ClientCredentials.UserName.UserName = ReturnUsername();
cc.ClientCredentials.UserName.Password = ReturnPassword();

Or are they embedded in the body of the REST message?

If the former, you can use a custom UserNamePasswordValidator: http://msdn.microsoft.com/en-us/library/aa702565.aspx

If the latter, you can set the service to no security, and use a custom ServiceAuthorizationManager to validate the contents of the message: http://msdn.microsoft.com/en-us/library/ms731774.aspx

Hope one or the other helps! I'd try to post sample code & config, but I'm @ home and dont have access to code, which is all @ work.

Answer 3

See Custom Basic Authentication for RESTful services. Pablo's approach uses the interceptor functionality that is provided via the REST starter kit to solve the problem. If you do not want to depend on the REST starter kit, then you can create your own service host and use the inteceptor functionality provided.

Answer 4

If you host it on IIS, using custom http module is the way to go. You can bring over the principal over to WCF side to do code access security. See HTTP Basic Authentication against Non-Windows Accounts in IIS/ASP.NET (Part 3 - Adding WCF Support). Also see Custom HTTP Basic Authentication for ASP.NET Web Services on .NET 3.5/VS 2008.

If you are not using IIS, you should be able to implement userNameAuthentication. See Finally! Usernames over Transport Authentication in WCF.

Answer 5

Yes absolutely there is a way. You need to configuring a custom userNamePasswordValidationMode value for your service and point it to a class with an overridden method that can inspect and validate the credentials provided. When making a RESTful call, these credentials when using Basic authentication in its proper form should be in the request header. With this custom method you can inspect the credentials and then authenticate the client to your service. No Windows accounts or domain even needed.

The nice thing is you can then take that security context to the next level and provide fine-grained authrization at the method level. You might have instances where a large pool of clients are able to access the service, but not all methods within (i.e. paid clients vs. unpaid). In this case you can also provide authorization at the method level as well if needed.

Below is a step-by-step solution (with too many steps to embed) by me that contains both the needed configuration and security required to have a complete solution. The problem is often Basic authentication is used without securing the Transport with a SSL certificate and this is bad. Make sure to follow all the steps and you will implement Basic authentication without the need of any type of Windows accounts or configuration on your WCF RESTful based service.

RESTful Services: Authenticating Clients Using Basic Authentication