Scenario:
We developed a wcf web service that communicates with the database inside our / dmz firewall. The web service and client application (web forms for collecting data) must be placed on our Internet server. This is because it needs to be accessed using the web controls that will be hosted on our third-party CMS (host our main website).
Question:
We want to ensure that the data can be transferred as securely as possible, but we will be careful about the exchange certificates between us and our CMS provider (and vice versa). We would rather have the web controls hosted as https, but all the documentation I read says authentication is required for certificates. I studied the application of additional user security between the client and svc (user bindings, username / password used in the code behind, call restriction by IP address), but I wanted to know if anyone else got this script.
We are sure that there should be examples of the use of user security when a third-party organization places web controls for an application, but so far I have just found on the Internet the comments "are these certificates or nothing." Any help or guidance was greatly appreciated.
An example of many of the links reviewed so far includes:
I was looking for an application of the suggested settings, for example. in <wshttpBinding> and <serviceCredentials> below, adding a new "Secure" class to contain a custom username / password validator, but "svc ... does not implement inherited elements ...".
<wsHttpBinding> <binding name="EndpointBinding"> <security mode="TransportWithMessageCredential"> <transport clientCredentialType="None"/> <message clientCredentialType="UserName"/> </security> </binding> </wsHttpBinding> <serviceCredentials> <userNameAuthentication userNamePasswordValidationMode="Custom" customUserNamePasswordValidatorType="My.WcfSvc.Authentication.Secure, My.WcfSvc" /> </serviceCredentials>
Thom
source share