Message Security with a User Name Client

 

The following illustration shows an Windows Communication Foundation (WCF) service and client secured using message-level security. The service is authenticated with an X.509 certificate. The client authenticates using a user name and password.

For a sample application, see Message Security User Name.

Message security using username authentication

CharacteristicDescription
Security ModeMessage
InteroperabilityWindows Communication Foundation (WCF) only
Authentication (Server)Initial negotiation requires server authentication
Authentication (Client)User name/password
IntegrityYes, using shared security context
ConfidentialityYes, using shared security context
TransportHTTP
BindingWSHttpBinding

The following code and configuration are meant to run independently. Do one of the following:

  • Create a stand-alone service using the code with no configuration.

  • Create a service using the supplied configuration, but do not define any endpoints.

Code

The following code shows how to create a service endpoint that uses message security.

            // Create the binding.
            WSHttpBinding binding = new WSHttpBinding();
            binding.Security.Mode = SecurityMode.Message;
            binding.Security.Message.ClientCredentialType =
                 MessageCredentialType.UserName;

            // Create the URI for the endpoint.
            Uri httpUri = new Uri("http://localhost/Calculator");

            // Create the service host.
            ServiceHost myServiceHost =
                new ServiceHost(typeof(Calculator), httpUri);
            myServiceHost.AddServiceEndpoint(typeof(ICalculator), binding, "");

            // Specify a certificate to authenticate the service.
            myServiceHost.Credentials.ServiceCertificate.
                SetCertificate(StoreLocation.LocalMachine,
                StoreName.My,
                X509FindType.FindBySubjectName,
                "Contoso.com");

            myServiceHost.Open();
            Console.WriteLine("Listening...");
            Console.ReadLine();

            // Close the service. 
            myServiceHost.Close();

Configuration

The following configuration can be used instead of the code:

<?xml version="1.0" encoding="utf-8"?>  
<configuration>  
  <system.serviceModel>  
    <behaviors>  
      <serviceBehaviors>  
        <behavior name="ServiceCredentialsBehavior">  
          <serviceCredentials>  
            <serviceCertificate findValue="Contoso.com"   
                                storeLocation="LocalMachine"  
                                storeName="My"     
                                x509FindType="FindBySubjectName" />  
          </serviceCredentials>  
        </behavior>  
      </serviceBehaviors>  
    </behaviors>  
    <services>  
      <service behaviorConfiguration="ServiceCredentialsBehavior"  
               name="ServiceModel.Calculator">  
        <endpoint address="http://localhost/Calculator"  
                  binding="wsHttpBinding"  
                  bindingConfiguration="MessageAndUserName"  
                  name="SecuredByTransportEndpoint"  
                  contract="ServiceModel.ICalculator" />  
      </service>  
    </services>  
    <bindings>  
      <wsHttpBinding>  
        <binding name="MessageAndUserName">  
          <security mode="Message">              
            <message clientCredentialType="UserName" />  
          </security>  
        </binding>  
      </wsHttpBinding>  
    </bindings>  
    <client />  
  </system.serviceModel>  
</configuration>  

Code

The following code creates the client. The binding is to message mode security, and the client credential type is set to UserName. The user name and password can only be specified using code (it is not configurable). The code to return the user name and password is not shown here because it must be done at the application level. For example, use a Windows Forms dialog box to query the user for the data.

            // Create the binding.
            WSHttpBinding myBinding = new WSHttpBinding();
            myBinding.Security.Mode = SecurityMode.Message;
            myBinding.Security.Message.ClientCredentialType =
                MessageCredentialType.UserName;

            // Create the endpoint address. 
            EndpointAddress ea = new
                EndpointAddress("http://machineName/Calculator");

            // Create the client. 
            CalculatorClient cc =
                new CalculatorClient(myBinding, ea);

            // Set the user name and password. The code to 
            // return the user name and password is not shown here. Use
            // an interface to query the user for the information.
            cc.ClientCredentials.UserName.UserName = ReturnUsername();
            cc.ClientCredentials.UserName.Password = ReturnPassword();

            // Begin using the client.
            try
            {
                cc.Open();
                Console.WriteLine(cc.Add(200, 1111));
                Console.ReadLine();

                // Close the client.
                cc.Close();
            }

Configuration

The following code configures the client. The binding is to message mode security, and the client credential type is set to UserName. The user name and password can only be specified using code (it is not configurable).

<?xml version="1.0" encoding="utf-8"?>  
<configuration>  
  <system.serviceModel>  
    <bindings>  
      <wsHttpBinding>  
        <binding name="WSHttpBinding_ICalculator" >  
          <security mode="Message">  
            <message clientCredentialType="UserName" />  
          </security>  
        </binding>  
      </wsHttpBinding>  
    </bindings>  
    <client>  
      <endpoint address="http://machineName/Calculator"   
                binding="wsHttpBinding"  
                bindingConfiguration="WSHttpBinding_ICalculator"   
                contract="ICalculator"  
                name="WSHttpBinding_ICalculator">  
        <identity>  
          <dns value ="Contoso.com" />  
        </identity>  
      </endpoint>  
    </client>  
  </system.serviceModel>  
</configuration>  

Security Overview
Message Security User Name
Service Identity and Authentication
<identity>
Security Model for Windows Server App Fabric

Show: