I am really really tired these day because of facing this problem.
I am building a XBAP application (WPF Browser Application) that uses WCF Service.
This app requires:
- Users can login by using their username and password (that store in my database)
- Users don’t need to install any of X509 certificate (*.pfx or *.cert…)
- The WCF service must use basicHttpBinding (to support an other silverlight application)
I have tried a lot of way but they are not match these requirements.
Do you have any solution? Thanks in advance.
basicHttpBinding is – as its name implies – very basic in what it offers. It’s especially basic when it comes to security.
As far as I know, you cannot achieve what you’re trying to do. BasicHttpBinding only supports transport security (using https protocol) with Windows credentials (not suitable over Internet with custom users) or digital certificates, or message security by means of a digital certificate (which you explicitly rule out – why??).
Check this CodeProject article 8 steps to enable windows authentication on WCF BasicHttpBinding or Google for “basicHttpBinding security” – you’ll find lots of articles, but probably no real solution for your requirements – you just cannot do this with basicHttpBinding.
Update: by default in WCF, you should pass the caller’s credentials with every call – but not as parameters on the service method, but instead by specifying the client credentials on the service proxy generated client-side. Something like: