WCF HttpBinding Security Resolution (5) Basic verification (iis host)

The Basic authentication method is based on the user name/password. in Windows, we provide a valid Windows user name and password. However, Basic authentication is essentially different from Windows authentication. Basic is an Http Security Specification (RFC 2617). Different Internet application systems can implement and perform Basic authentication.

We use the configuration of code listing 11-89 to enable Basic verification in TransportCredentialOnly mode.

Code List 11-89 enable Basic verification

<basicHttpBinding>
<binding 
name="basicBindingConf">
<security 
mode="TransportCredentialOnly">
<transport 
clientCredentialType="Basic">
</transport>
</security>
</binding>
</basicHttpBinding>

After the configuration file is modified, we also need to configure IIS to support Basic authentication. Here, I disable all other authentication methods and only enable Basic authentication, 11-39.

Figure 11-39 enable basic IIS Authentication

After the server configuration is complete, update the service on the test site. The updated configuration file is displayed, as shown in code list 11-90.

Code List 11-90 client configuration Basic verification

<security mode="TransportCredentialOnly">
<transport 
clientCredentialType="Basic" proxyCredentialType="None" realm=""/>
<message 
clientCredentialType="UserName" algorithmSuite="Default"/>
</security>

In the above configuration, the "realm" attribute is configured with domain information. Actually, it indicates the root URL of each request.

How can I transmit verification information on the client? See the code list 11-91.

Code List 11-91 pass client basic verification information

   1:  

   2: public ActionResultIndex()

   3: {

   4: client.ClientCredentials.UserName.UserName="administrator";

   5: client.ClientCredentials.UserName.Password="xuan$%^hun456";

   6: stringhelloString=client.GetHello();

   7: ViewData["Message"]=helloString;

   8: returnView();

   9: }

From the 11-90 list, we can see that, unlike Windows authentication, another object is used to pass the identity information, client. ClientCredentials. UserName pair. The UserName and Password attributes of client. ClientCredentials. UserName are used to pass the user name and Password respectively.

Run the test site. The result is 11-40.

Figure 11-40 Basic verification results

Let's analyze how the Basic verification method is transmitted over Http. The request information is shown in the code list 11-92, and the response information is shown in the code list 11-93.

Code List 11-92 basic request information

POST http://wcfservicewebsite.com/HelloService.svc HTTP/1.1
Content-Type: text/xml; charset=utf-8
VsDebuggerCausalityData: 
uIDPo9qmOexINPFJi+3tKDrHjuIAAAAA9X2d7hDLH0GIwSTCqNRNiRHsOF3Z8KRDvBWVY4qgV1EACQAA
SOAPAction: "http://tempuri.org/IHelloService/GetHello"
Authorization: Basic YWRtaW5pc3RyYXRvcjp4dWFuJCVeaHVuNDU2
Host: wcfservicewebsite.com
Content-Length: 133
Expect: 100-continue
Accept-Encoding: gzip, deflate
Connection: Keep-Alive
<s:Envelope 
xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"><s:Body><GetHello 
xmlns="http://tempuri.org/"/></s:Body></s:Envelope>

Code List 11-93 basic response information

HTTP/1.1 200 OK
Content-Type: text/xml; charset=utf-8
Vary: Accept-Encoding
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
Date: Sun, 26 Jun 2011 05:01:41 GMT
Content-Length: 237
<s:Envelope 
xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"><s:Body><GetHelloResponse 
xmlns="http://tempuri.org/"><GetHelloResult>Hello:BS--YANGWENHAI\Administrator;type=Basic</GetHelloResult></GetHelloResponse></s:Body></s:Envelope>

Let's take a look at the request information first, focusing on this sentence:

Authorization: Basic YWRtaW5pc3RyYXRvcjp4dWFuJCVeaHVuNDU2.

This sentence consists of three sections, the first section authorization: Flag verification information; the second section basic: the flag verification type is basic; the third section: ywrtaw5pc3ryyxrvcjp4dwfujcveahvundu2, which is a base64 encoded text, what is the content? The transcoding result is as follows:

Administrator: Xuan $ % ^ hun456

We can see that this is the username and password separated by the colon.

When we look at the response data and return the result after the verification is passed, what if the verification fails? We modify the password information provided by the client and submit the request again to see the result.

The exception information captured during debugging is 11-41.

Figure 11-41 basic Verification Failed

Figure 11-41 notifies the client that verification fails. At the same time, we can also see that when we do not configure domain information in the configuration file and IIS, IIS will automatically fill in the header of the requested domain information. Now let's look at the captured HTTP information. Response information is shown in the code list 11-94.

Code List 11-94 basic verification failure Response Information

HTTP/1.1 401 Unauthorized
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
WWW-Authenticate: Basic realm="wcfservicewebsite.com"
X-Powered-By: ASP.NET
Date: Sun, 26 Jun 2011 05:27:25 GMT
Content-Length: 6329

The returned information. The first line of error code is "401", which is interpreted as "unauthorized ". The bold line identifies the specific verification Failure Information. www-authenticate is a standard verification response header field, and basic indicates that the verification method is "Basic ", realm indicates that the domain that has not passed the verification is "wcfservicewebsite.com ".