2

What is the best (or at least one that works) option to secure a IIS hosted REST WCF service that will be called by javascript clients?

The service that I have is a REST service that receives GETs and POSTs from the clients and it's working fine, through http and https.

I've been trying to implement authentication, and I have a database with my own structure for users and roles and the such (so I want to avoid Windows authentication) I've been trying different things but I can't get anything to work.

Last thing I've tried is Basic Authentication (Transport) with a ServiceAuthorizationManager and UserName Auth (Message) with a custom validator.

I don't know if I can use the custom validator (inheriting from System.IdentityModel.Selectors.UserNamePasswordValidator) with Basic authentication, or if I can add UserName authentication credentials in the http(s) REST requests (maybe it needs to be a SOAP service?).

Also I would like to use something like a custom RoleProvider to control method access based on user groups /roles .

Thanks.

Improve this question
4
  • Not really an answer but I am following your question as I have an upcoming project that is very similiar. I have this saved on the horizon as I know I want to implement token auth, it may be worth a read or may be useless for your needs. Couldn't hurt to share though. developerhandbook.com/c-sharp/… Commented Jul 5, 2017 at 22:41
  • 1
    @TravisActon I don't think it's exactly what I need, but thanks anyway. I think I finally got it right. A main problem was that I wasn't able to get past the first authentication without a Windows user and I had custom users. If it works as intended, I will post the relevant code as an answer Commented Jul 6, 2017 at 9:53
  • It is highly recommend that you force HTTPS when using basic authentication - otherwise your user credentials will be sent by the client in plain-text over the network. Commented Jul 10, 2017 at 20:55
  • Do you need WCF ? WebAPI is way easier if http(s) + REST is all you care about. Commented Jul 11, 2017 at 10:24

1 Answer 1

Reset to default
2
+50

There are few ways to do this:

**1. Using Client Certificate Authentication.

See these articles:**

You can authorise your clients based on the certificate they pass (using thumbprint) and you can categorise them easily.

2. Implement Basic authentication with SQL Membership Provider.

Refer these articles:

You will have to take a call on what best serves your purpose and what will be easier to maintain in future. Certificate management is a pain most of the times, however it has its own set of advantages. I personally would go with the second option which is using Basic Auth with SQL membership provider.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.