Sunday, 21 July 2013

Message Security in WCF using username client credential

Message Security in WCF

There are two types of security in WCF. One is the security of Data and second is the security of medium through which message travel.

When we talk about the security of data then it is achieved by message security and if we talk about the security of medium through which message travel which is protocol security can be achieved by transport level security.

In this article I defined how to achieve message level security. There of different type of client credential and using this client credential we achieve message security. I am using wsHttpBinding to achieve message level security

Type of client Credential in message security
1.     None
2.     Windows
3.     Username
4.     Certificate
5.     Issued token

In this example I am using client credential username.

Following are the steps to implement the message security using client credential username

Step 1:-

Create a class and inherit usernamepasswordvalidator class in it. This class will be found on System.IdentityModel.Selectors and override the method validate and verify the username and password.

using System;
using System.Collections.Generic;
using System.Linq;
using System.Web;
using System.IdentityModel.Selectors;
using System.ServiceModel;

public class Credentioal:UserNamePasswordValidator
    public override void Validate(string userName, string password)
        if (userName == "isha" && password == "isha123")
        { }

            throw new FaultException("Wrong userid and pwd");

Step 2

Go to your web.config file customize the binding and add message security and client credential username.

        <binding name="sec">
          <security mode="Message">
            <message clientCredentialType="UserName"></message>

Step 3:-

Now create service tag and add this binding using bindingconfiguration tag which is as follows:-
      <service name="Service">
        <endpoint  address="" binding="wsHttpBinding" contract="IService" bindingConfiguration="sec" >

Step 4:-

To implement message level security we need security certificate. So go to your start button and type inetmgr and choose server certificate

Figure 1

Now create the server certificate from the left panal and choose create self-signed certificate and give it proper name as I give certificate name isha

Figure 2

Now you can see your certificate here in the list

Figure 3

Step 5:-

Now go to your web config file again and add this certificate and credential class in it
           <serviceCertificate findValue="isha"
            <userNameAuthentication userNamePasswordValidationMode="Custom" customUserNamePasswordValidatorType="Credentioal, App_Code"/>

          <!-- To avoid disclosing metadata information, set the value below to false before deployment -->
          <serviceMetadata httpGetEnabled="true"/>
          <!-- To receive exception details in faults for debugging purposes, set the value below to true.  Set to false before deployment to avoid disclosing exception information -->
          <serviceDebug includeExceptionDetailInFaults="false"/>

Now execute your service

Figure 4

Now create your client application and add this reference and use the following credential:-

using System;
using System.Collections.Generic;
using System.Linq;
using System.Web;
using System.Web.UI;
using System.Web.UI.WebControls;

public partial class _Default : System.Web.UI.Page
    protected void Page_Load(object sender, EventArgs e)
        ServiceReference1.ServiceClient sv = new ServiceReference1.ServiceClient();
       sv.ClientCredentials.UserName.UserName = "isha";
       sv.ClientCredentials.UserName.Password = "isha123";

If you do not pass the credential or pass wrong credential it will simply give you error.

Hope you enjoyed the article


  1. Hi Isha,
    I have tried this example. First i have passed correect credential, I have got response "5". Then I have given wrong credential still I getting "5" not FaultException is thrown.....

    1. Hello Rohit

      kindly mail your code at i will check it. The example which i posted gave exception.

      so you mail me your code may be there is some mistake.

      Isha Malhotra

  2. Mam..Its very useful to me...thanx mam