A little new with WCF services when using username and passwords. I followed the tutorial found at http://www.codeproject.com/Articles/96028/WCF-Service-with-custom-username-password-authenti in order to protect my web service with a username and password.
My Config file is below
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.web>
<compilation debug="false" targetFramework="4.5" />
<httpRuntime targetFramework="4.5" />
</system.web>
<system.serviceModel>
<services>
<service behaviorConfiguration="NewBehavior0" name="TService">
<endpoint address="mex" binding="mexHttpBinding" contract="ITechnology" />
</service>
</services>
<bindings>
<wsHttpBinding>
<binding name="NewBinding0">
<security>
<message clientCredentialType="Certificate" />
</security>
</binding>
</wsHttpBinding>
</bindings>
<behaviors>
<serviceBehaviors>
<behavior name="NewBehavior0">
<serviceCredentials>
<clientCertificate>
<authentication certificateValidationMode="PeerTrust" />
</clientCertificate>
<serviceCertificate findValue="Server" storeLocation="CurrentUser"
storeName="TrustedPeople" x509FindType="FindBySubjectName" />
<userNameAuthentication userNamePasswordValidationMode="Custom" customUserNamePasswordValidatorType="TService, Services1"/>
</serviceCredentials>
<serviceMetadata httpGetEnabled="true" />
</behavior>
</serviceBehaviors>
</behaviors>
<serviceHostingEnvironment aspNetCompatibilityEnabled="true" multipleSiteBindingsEnabled="true" />
</system.serviceModel>
<system.webServer>
<directoryBrowse enabled="true" />
</system.webServer>
</configuration>
Now i can view the WDSL in my browser and i know the certificate works as expected locally. When i connect to the service using the WCF test tool it doesnt prompt me for a username and password.
According to the link i posted and following ive not even done the final step (adding the code to pass in the username and password) but i can still connect to the service and retrieve all the data.
What have i missed out and how could i restrict the service where only a username and password allows the user/service to retrieve the data?
Edit 1:
<system.serviceModel>
<services>
<service behaviorConfiguration="NewBehavior0" name="TechService">
<endpoint address="mex" binding="mexHttpBinding" contract="ITechService" />
<endpoint address="TechService.svc" binding="wsHttpBinding" bindingConfiguration="" contract="ITechService" />
</service>
</services>
<bindings>
<wsHttpBinding>
<binding name="NewBinding0">
<security>
<message clientCredentialType="UserName" />
</security>
</binding>
</wsHttpBinding>
</bindings>
<behaviors>
<serviceBehaviors>
<behavior name="NewBehavior0">
<serviceCredentials>
<clientCertificate>
<authentication certificateValidationMode="PeerTrust" />
</clientCertificate>
<serviceCertificate findValue="Server" storeLocation="CurrentUser"
storeName="TrustedPeople" x509FindType="FindBySubjectName" />
<userNameAuthentication userNamePasswordValidationMode="Custom" customUserNamePasswordValidatorType="TechService, Services1"/>
</serviceCredentials>
<serviceMetadata httpGetEnabled="true" />
</behavior>
</serviceBehaviors>
</behaviors>
<serviceHostingEnvironment aspNetCompatibilityEnabled="true" multipleSiteBindingsEnabled="true" />
</system.serviceModel>
<system.webServer>
<directoryBrowse enabled="true" />
</system.webServer>
</configuration>
Based on a quick review of the linked CodeProject page, your config file seems to be a bit off (as it does not indicate that any endpoints are actually using a client credential type).
The "NewBinding0" specifies clientCredentialType="Certificate" but the article indicates the value should be:
<binding name="NewBinding0">
<security mode="Message">
<message clientCredentialType="UserName"/>
</security>
</binding>
Also, the Service definition only defines a “mex” (metadata) endpoint. You most likely will want to define an wsHttpBinding.. endpoint, which utilizes the corrected binding that specifies clientCredentialType="UserName".
<endpoint address="" binding="wsHttpBinding" bindingConfiguration="NewBinding0"/>
Hope this helps.
Regards,