Implementing Username Password Security in WCF Service


These days we are creating many WCF services in our project. The main purpose of WCF is to provide network-distributed services. It can access the outside world, anybody can use our service.
Online identity theft, fraud and privacy concerns are rising. So we need to make our WCF service secure. Let's explain some security components in WCF before we implement.

Security modes in a WCF service

In security mode WCF makes a secure communication channel, encrypting messages when communicating with clients. The following are the security modes.
Message security mode: In this mode the message will be encrypted and pass over a non-secure channel so that nobody can read the message.
Transport security mode: In this mode the communication channel will be encrypted and also provide integrity, privacy and so on.
Mixed transfer security mode: This mode provides transport security for message privacy and it uses message security for secure credentials.
Both security mode: This mode uses both transport and message security. So the message will be encrypted using message security and will pass over a secure channel using transport security. It provides more security than others but it degrades performance.
Authentications in WCF service: In authentication process WCF verifies the caller (who calls the services) and checks whether they are authorized or not to get the service.
Windows authentication: In this mode the caller must provide his/her Windows credential for authentication.
Username/Password: In this mode the caller must provide username and password for authentication.
X509 certificates: In this mode the caller must send certificate information and the service will check whether the certificate is valid.
Custom mechanism: In this mode the user must use their own protocol and credentials type instead of built-in authentication.
Issue token: In this mode both the caller and the service rely on a secure token service to issue the client a token for the service identity. It uses a Windows card space.
No authentication: WCF service doesn't implement any authentication in this mode.
This article explains username/password authentication with mixed security mode. Please use the following procedure.
Step 1
First create a WCF service library in Visual Studio.
Figure 1: Create a WCF Service
Add two class files, one for interface (ITruckService.cs) and another one (TruckService.cs) for implementing the interface. See the following image.
Code for Interface
Figure 2: Code Interface
The following  is the code for the class that implements the interface:
Figure 3: Implement Interface
Add one more class file (ServiceAuthenticator.cs) for username and password validation.
This class implements a UsernamePasswordValidator and overrides the Validate() method with the two params for username and password.
Inside this method you can implement your own logic to validate username and password. See the following image for the authentication class:
Figure 4: Authentication Class
Step 2
Then create a WCF service application in Visual Studio. 
Figure 5: WCF
Then add a service class library reference. Delete the *.svc.cs file and update the *.svc inside the project and change the service attribute (added library service namespace) in the *.svc file.
Figure 6: .svc File
Step 3
Then we need to configure the web.config for the service binding, security mode and username/password authentication.
In the Binding section I configured clientcredentialType as the UserName and security mode as TransportWithMessage.
In the behaviors section I configured a custom UsernamePasswordValidatorType (Authenticator class name + class library).
Please see the following image for a better view: 
Figure 7: View
Step 4
Now our service is ready. We need to use it in our application. Create an empty web application and add one webform.
You need to host a WCF service application in IIS and browse the *.svc file. Then add the service reference by right-clicking on the reference folder.
Next go to the webform code-behind file and try to call the WCF service method. Please see the following screenshot to call the service by passing a username and password.
Here I am passing a Username and Password and the WCF service will validate those using the ServiceAuthenticator class. 
Figure 8: Web Form Code
If your username and password is correct and properly hosted then you are able to receive data from the WCF service.
So now if anybody wants to use your WCF service then they need to send a valid username and password for authentication purposes.
I hope this will help you to implement security in a WCF service.
Happy coding!