Home/ Questions/Q 6954637
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-27T14:37:53+00:00

I have build a wcf web service that simply provides MS Dynamics SQL data

  • 0

I have build a wcf web service that simply provides MS Dynamics SQL data to a CRM hosted Silverlight application. Currently the web services are hosted in IIS and are only available via HTTPS so the contents of the messages are secure. I’m now ready to implement the next level of security that has to do with who is logged into the Silverlight client application. I’d like to pass that information to the web service and then use it when creating the SQL Server Connection object. The results will be that the MS Dynamics Database will then only return data that the connected user is authorized to view.

This model is different from the standard model that consists of authenticating a given user for access to the web service. Instead, in my model everyone is granted access to the web service and the results of the SQL queries are based on the user name and password for a given user.

For Clarification: The Silverlight application collects the user name and password from the user when they log on to the application. This is the information that eventually needs to be used by the web service when the web service makes the connection to the SQL Server database. So my goal is to have the Silverlight applicaiton pass the username and password to the web service in such a way that the web service can retrieve it and use it when creating the Connection object.

I’m considering something as simple as adding the user name and password to each web service request. However I’d rather be able to use the standard method for passing user credentials but I can’t seem to find any way to get to the password. The user name is accessable throught the OperationContext.Current.ServiceSecurityContext.PrimaryIdentity.Name.

Any ideas?

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    You can use the wsHttpBinding for passing credentials to your service, this will however at the very least require you to send the credentials with message security. You can combine this with anonymous authentication in IIS. This way, everyone can access the service on a transport level, but you’ll be able to handle the credentials yourself.

    To expand, I have a WCF service running in IIS with HTTPS and anonymous authentication. In my web.config I’ve set up a wsHttpBinding, like this:

    <bindings>
<wsHttpBinding>
    <binding name="CredentialsBinding" />
      <security mode="TransportWithMessageCredential">
        <message clientCredentialType="UserName" algorithmSuite="Default" />
      </security>
    </binding>
  </wsHttpBinding>
</bindings>

    In my behaviors, I’ve set up a servicebehavior for a custom username/password validator, like so:

    <behaviors>
  <serviceBehaviors>
    <behavior name="DefaultBehavior">
      <serviceCredentials>
        <userNameAuthentication
        userNamePasswordValidationMode="Custom"
       customUserNamePasswordValidatorType="MyNamespace.CredentialValidator, MyNamespace"/>
      </serviceCredentials>
       </behavior>
  </serviceBehaviors>
</behaviors>

    The validator looks like this:

    namespace MyNamespace.CredentialValidator
{
    public class CredentialValidator:  UserNamePasswordValidator 
    {
        public override void Validate(string userName, string password)
        {
            // you can now handle the username and password passed to your service
            // with a wsHttpBinding through HTTPS
        }
    }
}

    –EDIT

    Rory Primrose describes what you’re probably looking for in his article WCF Security: Getting the password of the user, using a CustomUserNameSecurityTokenAuthenticator to get the password for further use.

    • 0