Hi I am thinking to use below startegy to secure a WCF service exposed over internet
Use TransportWithMessageCredentials as security mode in webconfig for SSL and message based security. However i do not want to use clientCredentialType="Username" setting for reasons mentioned below
Problem with UserNamePasswordValidator
Problem in using Custom UserName Password validator is that only user name and password can be validated using this approach. If i need to validate some other parameters send by the client in the request object then this approach does not work (or atleast i am not aware of)
Client other than .net often face issues in setting clientCredential
So instead of using clientCredentialTypeas "UserName" i am thinking of setting the clientCredentialType="None" so that i do not use the authentication support supplied by WCF framework
Create a ParamInspetor class derived by IParameterInspector to
inspect the request parameter, request object will have the username , password and some other detailsMy requestDTO will be derived from a baseRequestDTO having all the
properties needed for the validation
i can then access the request object in my parameterinspector class at runtime and can then validate the baseRequestDTO
public object BeforeCall(string operationName, object[] inputs)
{
for (int index = 0; index < inputs.Length; index++)
{
if (index == 0)
{
baseRequestDTO obj = inputs[index] as baseRequestDTO ;
if (obj != null))
{
// Call Authentication service passing baseRequestDTO
// validate username,password and other details
}
break;
}
}
}
Is there any issue in this approach? or is there any better approach? want to know if some one else is doing thing differently.