Secure WCF Service Endpoint with Special Authentication

I want to protect some WCF service endpoint, I don’t know if you can protect some endpoint, and some not. Below I have disabled WCF (self-service). The same WCF also serves for the CA policy file. If I protect this WCF service or some ut endpoints, part of the CA policy should not ask me for the user password. The policy file must be accessible at all times. Is it also possible?

I found many custom blogs / posts in WCF. There are many ways to ensure security. All I want is that I can protect some endpoints with username / password, but credentials should not be visible with tools like Fiddler. However, data may be visible in this case.

I have already implemented Customvalidator, but the app.config file is also important for determining things. And I'm not very good at it.

namespace WindowsFormsApplication11 { public partial class Form1 : Form { public ServiceHost _host = null; public Form1() { InitializeComponent(); } private void button1_Click(object sender, EventArgs e) { // Create a ServiceHost for the CalculatorService type and // provide the base address. _host = new ServiceHost(typeof(WmsStatService)); _host.AddServiceEndpoint(typeof(IPolicyProvider), new WebHttpBinding(), "").Behaviors.Add(new WebHttpBehavior()); _host.Open(); } } // Define a service contract. [ServiceContract(Namespace = "http://WindowsFormsApplication11")] public interface IWmsStat { [OperationContract] string getConnectedViewers(string channelName); [OperationContract] string sayHello(string name); } [ServiceContract] public interface IPolicyProvider { [OperationContract, WebGet(UriTemplate = "/ClientAccessPolicy.xml")] Stream ProvidePolicy(); } //[DataContract] public class Ads { // [DataMember] public string AdFileName { get; set; } //[DataMember] public string AdDestenationUrl { get; set; } public string ConnectedUserIP { get; set; } } // public class CustomValidator : UserNamePasswordValidator { public override void Validate(string userName, string password) { if(null == userName || null == password) { throw new ArgumentNullException(); } if(userName == "Oguz" && password == "2009") { return; } FaultCode fc = new FaultCode("ValidationFailed"); FaultReason fr = new FaultReason("Good reason"); throw new FaultException(fr,fc); } } // public class WmsStatService : IWmsStat, IPolicyProvider { public string sayHello(string name) { return "hello there " + name + " nice to meet you!"; } public Stream ProvidePolicy() { WebOperationContext.Current.OutgoingResponse.ContentType = "application/xml"; return new MemoryStream(File.ReadAllBytes("ClientAccessPolicy.xml"), false); } public string getConnectedViewers(string channelname) { // do stuff return null; } } } 

The app.config file. This configuration file does not work. I wanted to put user authentication for the endpoint. I have no idea.

 <?xml version="1.0" encoding="utf-8" ?> <configuration> <system.serviceModel> <services> <service name="WindowsFormsApplication11.WmsStatService" behaviorConfiguration="mex"> <host> <baseAddresses> <add baseAddress="http://192.168.0.199:87" /> </baseAddresses> </host> <endpoint address="http://192.168.0.199:87/Test" binding="basicHttpBinding" bindingConfiguration="" contract="WindowsFormsApplication11.IWmsStat" behaviorConfiguration="MyServiceBehavior" /> <endpoint address="mex" binding="mexHttpBinding" contract="IMetadataExchange" /> </service> </services> <!--<bindings> <wsHttpBinding> <binding name="wshttp"> <security mode="Message"> <message clientCredentialType="UserName" /> </security> </binding> </wsHttpBinding> </bindings>--> <behaviors> <serviceBehaviors> <behavior name="mex"> <serviceMetadata httpGetEnabled="true" httpGetUrl=""/> </behavior> <behavior name="MyServiceBehavior"> <serviceCredentials> <userNameAuthentication userNamePasswordValidationMode="Custom" customUserNamePasswordValidatorType="WindowsFormsApplication11.CustomValidator, CustomValidator" /> </serviceCredentials> </behavior> </serviceBehaviors> </behaviors> </system.serviceModel> </configuration>