WCF service authentication method_问答_开发者_运维开发者技术经验分享

开发者 https://www.devze.com 2023-03-23 07:20 出处：网络

I\'m building a WCF SOAP service at the moment. I will, of course, need some authentication on the service.

I'm building a WCF SOAP service at the moment. I will, of course, need some authentication on the service.

Reading this very helpful blog post says that to use the built-in authentication points requires that the endpoint use the wsHttp binding.

This would be fine if I could guarantee that users would be communicating with the service through a client based on the meta-data exposed by WCF (basically, something like a client written in C# with a web service reference). However, I can't guarantee this!

I will still need to allow users to communicate with just raw (unencrypted) XML.

So, questions:

Does the wsHttp binding still allow for raw XML input?
If not, would I be wiser to
- Implement two separate authetication points? One for raw XML input and one for encrypted input Or
- Allow input from wsHttp to fall back on some in-method validation that would be shared with the raw XML input?
Is it wise to allow users to pass their credentials inside a raw XML request?

EDIT: It sounds like I 开发者_JAVA百科miscommunicated or misunderstood something in my original post, so here I will clarify what I mean by "raw XML".

By raw XML, I mean just the SOAP packet and the accompanying HTTP headers - as I might send from soapUI or Fiddler. As I understand it, messages over the wsHttp binding are encrypted when a client is generated from the WSDL (for example, in C#).

If this is not the case, then how would I go about attaching the same sorts of credentials to a raw XML (for want of a better term) request as I do a request run through a client? Are they attached as HTTP headers? XML elements in the SOAP envelope?

wsHttp is a SOAP binding, which means that your content gets wrapped in a SOAP envelope, possibly with headers relating to the message and various WS-* specifications being used.

I would ask why you need to support raw XML? Most platforms today support SOAP messaging and the whole idea of SOAP is to provide interoperability between different platforms. On most platforms it is as easy to develop a SOAP client as a raw XML client. In most cases, it is simply a case of taking the WSDL and generating a client. If you want to use standard facilities like authentication and message encryption then this is a much better way to go.

There are currently no hooks to do interoperable authentication for raw XML. You will have to come up with your own mechanism to do this and it will be non-standard. For your web service users, this means it will be probably entail more development effort than if you just went with SOAP.