I have hosted a SOAP WCF on an azure web application. This service is going to be consumed by servers only and contains no UI. I only need one service account to auth my WCF. I cannot use oauth since it's SOAP. I have read up a little on ACS, but it seems overkill in my case since I just want to use one account to secure my WCF. My thinking was I was going to leverage the Azure AD to make a service account there and use it to secure the service.
Is this even possible on a web app or do i need to host it on a web role? In any case how do i accomplish simple security on my WCF based on my premises?
Detailed answer example
After general discussion, here is a detailed example for establishing transport security + simple password (in IIS, on premises or Azure I just tested it)
This is very simple.
- No role, no declarative or programmatic control based on identity.
- Identity is hard coded.
- No usage of message security that is stronger (man in the middle).
- Transport security is the minimum because Basic authentication is not securized.
That security scenario is short to implement
1. Creation of a Web Service with transport security
<system.serviceModel>
<bindings>
<basicHttpBinding>
<binding name="BasicBindingConfiguration">
<security mode="Transport">
<transport clientCredentialType="None"/>
</security>
</binding>
</basicHttpBinding>
</bindings>
<services>
<service name="HelloServiceLibrary.HelloService" behaviorConfiguration="customIdentificationBehavior">
<endpoint address=""
binding="basicHttpBinding"
contract ="HelloServiceLibrary.IHelloService"
name="basicEndpoint"
bindingConfiguration="BasicBindingConfiguration">
</endpoint>
2. Declaration of a module to find Basic-Auth
<system.webServer>
<modules>
<add name="BasicAuthenticationModule"
type="Security.UserNameModuleAuthenticator,App_Code/Security" />
</modules>
</system.webServer>
3. Implementation of the module :
public class UserNameModuleAuthenticator : IHttpModule{
...
public void OnAuthenticateRequest(object source, EventArgs eventArgs){
HttpApplication app = (HttpApplication)source;
string authStr = app.Request.Headers["Authorization"];
string username = ...; // from header
string password = ...; // from header
if (username == "gooduser" && password == "password")
{
app.Context.User = new GenericPrincipal(new GenericIdentity(username, "Custom Provider"), null);
}
else
{
DenyAccess(app);
return;
}
4 Configure Client for passing basic authentication
<system.serviceModel>
<bindings>
<basicHttpBinding>
<binding name="basicEndpoint">
<security mode="Transport" >
<transport clientCredentialType="Basic"
proxyCredentialType="None"
realm="" />
</security>
</binding>
</basicHttpBinding>
</bindings>
<client>
<endpoint address="https://localhost/TransportUsernameService/HelloService.svc"
binding="basicHttpBinding" bindingConfiguration="basicEndpoint"
contract="SecureServiceReference.IHelloService" name="basicEndpoint" />
</client>
</system.serviceModel>
5. On client pass **credentials to the server**
HelloServiceClient client = new HelloServiceClient("basicEndpoint",
new EndpointAddress("https://testsecurewebservice.azurewebsites.net/HelloService.svc"));
client.ClientCredentials.UserName.UserName = userName;
client.ClientCredentials.UserName.Password = password;
String msg = client.SayHello(userName);
Possible Extensions
[PrincipalPermission(SecurityAction.Demand, Role = "Manager")]
Complete solution here : http://1drv.ms/1Q5j9w0
Regards
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With