WCF HttpBinding Security Resolution (5) Basic verification (iis host)

Source: Internet
Author: User

The Basic authentication method is based on the user name/password. in Windows, we provide a valid Windows user name and password. However, Basic authentication is essentially different from Windows authentication. Basic is an Http Security Specification (RFC 2617). Different Internet application systems can implement and perform Basic authentication.

We use the configuration of code listing 11-89 to enable Basic verification in TransportCredentialOnly mode.

Code List 11-89 enable Basic verification


<basicHttpBinding>
<binding
name="basicBindingConf">
<security
mode="TransportCredentialOnly">
<transport
clientCredentialType="Basic">
</transport>
</security>
</binding>
</basicHttpBinding>

After the configuration file is modified, we also need to configure IIS to support Basic authentication. Here, I disable all other authentication methods and only enable Basic authentication, 11-39.

Figure 11-39 enable basic IIS Authentication

After the server configuration is complete, update the service on the test site. The updated configuration file is displayed, as shown in code list 11-90.

Code List 11-90 client configuration Basic verification


<security mode="TransportCredentialOnly">
<transport
clientCredentialType="Basic" proxyCredentialType="None" realm=""/>
<message
clientCredentialType="UserName" algorithmSuite="Default"/>
</security>

In the above configuration, the "realm" attribute is configured with domain information. Actually, it indicates the root URL of each request.

How can I transmit verification information on the client? See the code list 11-91.

Code List 11-91 pass client basic verification information

   1:  

   2: public ActionResultIndex()

   3: {

   4: client.ClientCredentials.UserName.UserName="administrator";

   5: client.ClientCredentials.UserName.Password="xuan$%^hun456";

   6: stringhelloString=client.GetHello();

   7: ViewData["Message"]=helloString;

   8: returnView();

   9: }

From the 11-90 list, we can see that, unlike Windows authentication, another object is used to pass the identity information, client. ClientCredentials. UserName pair. The UserName and Password attributes of client. ClientCredentials. UserName are used to pass the user name and Password respectively.

Run the test site. The result is 11-40.

Figure 11-40 Basic verification results

Let's analyze how the Basic verification method is transmitted over Http. The request information is shown in the code list 11-92, and the response information is shown in the code list 11-93.

Code List 11-92 basic request information


POST http://wcfservicewebsite.com/HelloService.svc HTTP/1.1
Content-Type: text/xml; charset=utf-8
VsDebuggerCausalityData:
uIDPo9qmOexINPFJi+3tKDrHjuIAAAAA9X2d7hDLH0GIwSTCqNRNiRHsOF3Z8KRDvBWVY4qgV1EACQAA
SOAPAction: "http://tempuri.org/IHelloService/GetHello"
Authorization: Basic YWRtaW5pc3RyYXRvcjp4dWFuJCVeaHVuNDU2
Host: wcfservicewebsite.com
Content-Length: 133
Expect: 100-continue
Accept-Encoding: gzip, deflate
Connection: Keep-Alive
<s:Envelope
xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"><s:Body><GetHello
xmlns="http://tempuri.org/"/></s:Body></s:Envelope>

Code List 11-93 basic response information


HTTP/1.1 200 OK
Content-Type: text/xml; charset=utf-8
Vary: Accept-Encoding
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
Date: Sun, 26 Jun 2011 05:01:41 GMT
Content-Length: 237
<s:Envelope
xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"><s:Body><GetHelloResponse
xmlns="http://tempuri.org/"><GetHelloResult>Hello:BS--YANGWENHAI\Administrator;type=Basic</GetHelloResult></GetHelloResponse></s:Body></s:Envelope>

Let's take a look at the request information first, focusing on this sentence:

Authorization: Basic YWRtaW5pc3RyYXRvcjp4dWFuJCVeaHVuNDU2.

This sentence consists of three sections, the first section authorization: Flag verification information; the second section basic: the flag verification type is basic; the third section: ywrtaw5pc3ryyxrvcjp4dwfujcveahvundu2, which is a base64 encoded text, what is the content? The transcoding result is as follows:

Administrator: Xuan $ % ^ hun456

We can see that this is the username and password separated by the colon.

When we look at the response data and return the result after the verification is passed, what if the verification fails? We modify the password information provided by the client and submit the request again to see the result.

The exception information captured during debugging is 11-41.

Figure 11-41 basic Verification Failed

Figure 11-41 notifies the client that verification fails. At the same time, we can also see that when we do not configure domain information in the configuration file and IIS, IIS will automatically fill in the header of the requested domain information. Now let's look at the captured HTTP information. Response information is shown in the code list 11-94.

Code List 11-94 basic verification failure Response Information


HTTP/1.1 401 Unauthorized
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
WWW-Authenticate: Basic realm="wcfservicewebsite.com"
X-Powered-By: ASP.NET
Date: Sun, 26 Jun 2011 05:27:25 GMT
Content-Length: 6329

The returned information. The first line of error code is "401", which is interpreted as "unauthorized ". The bold line identifies the specific verification Failure Information. www-authenticate is a standard verification response header field, and basic indicates that the verification method is "Basic ", realm indicates that the domain that has not passed the verification is "wcfservicewebsite.com ".

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.