StackOverflow2013

Note that there are some explanatory texts on larger screens.

plurals

POUser/Pass Authentication using RESTful WCF & Windows Forms
primarykey
Id
395892
data
AcceptedAnswerId
396815
AnswerCount
4
ClosedDate
CommentCount
3
CommunityOwnedDate
CreationDate
2008-12-28T05:47:58.100
FavoriteCount
26
LastActivityDate
2015-01-16T12:26:08.657
LastEditDate
2017-05-23T12:30:42.417
LastEditorUserId
-1
OwnerUserId
41211
ParentId
0
PostTypeId
1
Score
36
ViewCount
22614
LastEditorDisplayName
GONeale
text
Body
What is the best approach to implementing authorisation/authentication for a Windows Forms app talking to an IIS-hosted RESTful WCF Service? The reason I ask is I am very confused, after sifting through different articles and posts expressing a different method and eventually hitting a ~650 page document on WCF Security Best Practices" (<a href="http://www.codeplex.com/WCFSecurityGuide" rel="nofollow noreferrer">http://www.codeplex.com/WCFSecurityGuide</a>) I am just uncertain which approach is the BEST to take and how to get started on implementation, given my scenario. I started with this article "A Guide to Designing and Building RESTful Web Services with WCF 3.5" (<a href="http://msdn.microsoft.com/en-us/library/dd203052.aspx" rel="nofollow noreferrer">http://msdn.microsoft.com/en-us/library/dd203052.aspx</a>) and a PDC video on RESTful WCF services, which was great and helped me implement my first REST-friendly WCF service, After I had the service working, I returned to implement security, see. "Security Considerations" (quarter down the page) and attempted to implement a HTTP Authorization header as per the instructions, however I found the code to be incomplete (see how 'UserKeys' variable was never declared). This is the point at which I tried to research more on how to do this (using a HMAC hash with the "Authorization" HTTP header, but could not find much on google?) it led me to other articles regarding message-level security, forms auth and custom validators and frankly I am not sure which is the best and most appropriate approach to take now. So with all that said (and thanks for listening up till now!), I guess my main questions are, - Which security implementation should I use? - Is there any way to avoid sending the username/password with every WCF call? I would prefer not to send these extra bytes if a connection has been established at the beginning, which it will be before subsequent calls are allowed to be made after login. - Should I even really be concerned about anything other than plain text if I am using SSL? As said, .NET 3.5 win forms app, IIS-hosted WCF service, however what is important is I wish any and all WCF services to require this authorization procedure (however it should be, session, http header or otherwise) as I do not want anybody to be able to hit these services from the web. I know the above post is large but I had to express the route I have already been down and what I need to accomplish, any and all help is greatly appreciated. PS: I am also aware of this post <a href="https://stackoverflow.com/questions/141484/how-to-configure-secure-restful-services-with-wcf-using-usernamepassword-ssl">How to configure secure RESTful services with WCF using username/password + SSL</a> and if the community suggests I move away from REST for WCF services, I can do this, however I started with this to keep consistency for any public APIs to come. I think it's important I state how I am accessing my WCF Service (contacting the service is working, but what is the best way to validate credentials - and then return the Member object?): <pre><code>WebChannelFactory<IMemberService> cf = new WebChannelFactory<IMemberService>( new Uri(Properties.Settings.Default.MemberServiceEndpoint)); IMemberService channel = cf.CreateChannel(); Member m = channel.GetMember("user", "pass"); </code></pre> Code that was half implemented from MS article (and some of my own for testing): <pre><code> public Member GetMember(string username, string password) { if (string.IsNullOrEmpty(username)) throw new WebProtocolException(HttpStatusCode.BadRequest, "Username must be provided.", null); if (string.IsNullOrEmpty(password)) throw new WebProtocolException(HttpStatusCode.BadRequest, "Password must be provided.", null); if (!AuthenticateMember(username)) { WebOperationContext.Current.OutgoingResponse.StatusCode = HttpStatusCode.Unauthorized; return null; } return new Member() { Username = "goneale" }; } </code></pre>
Tags
<.net><wcf><restful-authentication><ws-security>
Title
User/Pass Authentication using RESTful WCF & Windows Forms
singulars
PostAcceptedAnswerId
1. PO
 singulars
 PostTypePostTypeId
 PTAnswer
PostParentId
1. This table or related slice is empty.
PostTypePostTypeId
1. PTQuestion
UserLastEditorUserId
1. USCommunity
UserOwnerUserId
1. USGONeale
plurals
PostLinksPostIdRelatedPostId
1. PL
 singulars
 LinkTypeLinkTypeId
 LTLinked
2. PL
 singulars
 LinkTypeLinkTypeId
 LTLinked
PostLinksRelatedPostIdPostId
1. PL
 singulars
 LinkTypeLinkTypeId
 LTLinked
2. PL
 singulars
 LinkTypeLinkTypeId
 LTLinked
3. PL
 singulars
 LinkTypeLinkTypeId
 LTLinked
PostsAcceptedAnswerId
1. This table or related slice is empty.
PostsParentIdCreationDate
1. PO
 singulars
 PostTypePostTypeId
 PTAnswer
2. PO
 singulars
 PostTypePostTypeId
 PTAnswer
3. PO
 singulars
 PostTypePostTypeId
 PTAnswer
VotesPostIdCreationDate
1. VO
 singulars
 PostPostId
 POUser/Pass Authentication using RESTful WCF & Windows Forms
 UserUserId
 This table or related slice is empty.
 VoteTypeVoteTypeId
 VTUpMod
2. VO
 singulars
 PostPostId
 POUser/Pass Authentication using RESTful WCF & Windows Forms
 UserUserId
 This table or related slice is empty.
 VoteTypeVoteTypeId
 VTUpMod
3. VO
 singulars
 PostPostId
 POUser/Pass Authentication using RESTful WCF & Windows Forms
 UserUserId
 USbalexandre
 VoteTypeVoteTypeId
 VTFavorite
CommentsPostId

Querying!

Guidance

A row detail

Detail views are divided into sections. All the information in the data section comes from columns in the selected row. The other sections display data from other, related rows.

Related data can be related in a to-one or a to-many fashion. Captions of data related in a to-many fashion link to a list view showing a filtered view of the table.

Try moving around until you find a non-empty to-many entry and click on the label to get to one. You can move back to the root by clicking on the database name in the header.