Securing a WCF WebService without using a certificate

I have been trying to secure my WCF WebService correctly for a few days now, however I have now run into a roadblock. I am attempting to secure this WebService without the use of a certificate as this will run inside a secure intranet.

I would like to be able to username/password protect the WebService without having to change each method to validate a username and password and without having to use a certificate. Is this possible:

My current web.config is below:

<?xml version="1.0"?>
<configuration>
 <system.web>
  <compilation debug="true" targetFramework="4.0" />
 </system.web>
 <system.serviceModel>
  <services>
   <service name="TestWS.Service1" behavio开发者_Python百科rConfiguration="Default">
    <endpoint contract="IMetadataExchange" binding="mexHttpBinding" address="mex" />
    <endpoint contract="TestWS.IService1" binding="wsHttpBinding" bindingConfiguration="Binding1" address="" />
  </service>
 </services>
 <bindings>
  <wsHttpBinding>
    <binding name="Binding1">
      <security mode="Message">
       <message clientCredentialType="UserName"/>
      </security>
    </binding>
  </wsHttpBinding>
 </bindings>
 <behaviors>
  <serviceBehaviors>
    <behavior name="Default">
      <!-- To avoid disclosing metadata information, set the value below to false and remove the metadata endpoint above before deployment -->
      <serviceMetadata httpGetEnabled="true"/>
      <serviceCredentials>
        <userNameAuthentication userNamePasswordValidationMode="Custom" customUserNamePasswordValidatorType="TestWS.Validation.VanguardValidator, TestWS" />
      </serviceCredentials>
      <!-- To receive exception details in faults for debugging purposes, set the value below to true.  Set to false before deployment to avoid disclosing exception information -->
      <serviceDebug includeExceptionDetailInFaults="false"/>
    </behavior>
   </serviceBehaviors>
  </behaviors>
  <serviceHostingEnvironment multipleSiteBindingsEnabled="true" />
 </system.serviceModel>
 <system.webServer>
  <modules runAllManagedModulesForAllRequests="true"/>
 </system.webServer>
</configuration>

Thanks in advance,

Patrick

---

If you're using username/password validation, you'll likely be sending the credentials in plain text in your message. So you either need to use transport-level (SSL) security (https://....), or then you have to have a certificate on the server side to provide a means of a shared secret so that the messages between client and server can be encrypted and signed. Or you can turn off security all together if you don't want anything at all.

See Fundamentals of WCF Security for a great introduction to WCF Security, the MSDN docs on Programming WCF Security, or Juval Löwy's excellent MSDN article on Declarative WCF Security