Geek Answers Handbook

WCF user authentication and failures

I have a WCF service configured to use UserName custom validation using the overridden Validate () method of the System.IdentityModel.Selectors.UserNamePasswordValidator class.

All contract methods are decorated with the FaultContractAttribute attribute to indicate that a custom SOAP error is returned.

When throwing a FaultException <T>, where T is the type specified in the FaultContractAttribute attribute, everything behaves as expected, and I get a custom error in the XML response.

However, if I try to throw a FaultException <T> in the redefined Validate () method of the username authentication class, I get a general SOAP error for the following reason:

"The creator of this error did not indicate a reason."

However, if I changed the code to clear a common SOAP error, as in:

throw new FaultException("Authentication failed.");

At least I will get an "Authentication Error". in the reason element.

My questions:

  • Why aren't FaultException <T> exceptions handled the same way if they are selected in Validate () because they are part of the service implementation?
  • Is it possible for the exceptions thrown into the Validate () method to match the FaultContractAttribute attribute specified in the contract methods?

Any help is greatly appreciated. My own guess is that authentication occurs before the message is associated with any contract method and therefore is not related to the FaultContractAttribute, but any article that confirms this and provides a workaround will be very useful.

Tali

+6
authentication wcf wcf-security soapfault
source share
2 answers

This is a little annoying, but I went around it by doing this:

  SecurityTokenValidationException stve 
   = new SecurityTokenValidationException ("Invalid username or password");
 throw new FaultException <SecurityTokenValidationException> (stve, stve.Message);

The inclusion of a message additionally means that you will not receive a stupid message "do not indicate a reason."

0
source share

The problem is that the custom validation code runs outside the context of any particular OperationContract , so there is no FaultContract to handle WCF. So the short answer is no, you cannot get the exceptions thrown from your custom validator to honor FaultContract .

You have several options. The one I prefer is to throw a non-generic FaultException and provide a predefined FaultCode ; in this way my blocking blocks can differentiate contract defects from plumbing failures. Please note that any exception that you have selected from a custom validator should be returned as a MessageSecurityException , as shown below:

 // Custom Validator: public override void Validate(string userName, string password) { throw new FaultException( "Invalid username or password.", new FaultCode("AUTHENTICATION_FAILURE")); } // Client Code: try { client.DoSomething(); } catch ( MessageSecurityException ex ) { var inner = ex.InnerException as FaultException; if (inner != null && inner.Code.Name.Equals("AUTHENTICATION_FAILURE")) { // Security failure. } } catch ( FaultException<SomethingFault> ex ) { // Exception from the method itself. }
0
source share

More articles:


All Articles