We have some applications (web and WPF) that call WCF services to access data. We are not using Windows Authentication. The user is prompted for a username and password when logging into the web app or WPF desktop app. The data is not highly confidential (i.e. no credit cards, SSN, etc.).
We would like to use BasicHttpBinding for the WCF endpoints. However, we want to pass a username and password to our WCF services so that we can restrict access to certain data depending on the user.
My question is, since we are 100% in an intranet environment would it be reasonable to simply pass the user's username and password in the header of the SOAP messages so that we can authentic the users on the WCF side? This seems like a very common situation and I'm curious how others have addressed security on the WCF side when all applications and services reside in an intranet environment.
Thanks.
It seems like pretty easy task but in reality it is quite hard because WCF team has already made decission that sending plain text user name token over unsecured channel is not allowed. You can always send user name and password in custom SOAP header but in that case you will lose WCF security infrastructure and you will have to inject your own password validation behavior etc.
If you really need plain text user name token you should check this binding.
Edit: Btw. remember that the most security attacks came from insiders so using HTTPS is not bad decission and it will make things much easier.