-
September 28th, 2012, 08:25 AM
#1
WCF Custom User Name Password Validator to read from Database
I am using a Custom User Name Password Validator in my WCF Service. It works if I hard code the username and password in the validator function, but , I am trying to have my WCF service to validate username and password against those stored in my database, and that part does not work.
Can some one please let me know if I am supposed to do something else to make it validate against credentials stored in the DB. I have tested the entire database connection and reader related code in the client application and it works. It does not work when I use it in the WCF service.
Thank you for your help.
Here is my code:
Code:
class CustomUserNamePassValidator : System.IdentityModel.Selectors.UserNamePasswordValidator
{
public override void Validate(string userName, string password)
{
string MyUser = "";
string MyPass = "";
string connectionString = "Initial Catalog=MyDB;Data Source=MyServer;Integrated Security=SSPI";
SqlConnection MyConnection = new SqlConnection(connectionString);
try
{
using (MyConnection)
{
SqlCommand command = new SqlCommand("Exec MyDB.dbo.GetCredentials", MyConnection);
MyConnection.Open();
SqlDataReader MyReader = command.ExecuteReader();
if (MyReader.HasRows)
{
while (MyReader.Read())
{
MyUser = MyReader["UserName"].ToString();
MyPass = MyReader["Passwrd"].ToString();
}
}
MyReader.Close();
}
}
catch (Exception exp)
{
MyFaultException theFault = new MyFaultException();
theFault.Reason = "Database Connection Error: " + exp.Message.ToString();
throw new FaultException<MyFaultException>(theFault);
}
if (userName == null || password == null)
{
throw new SecurityTokenException("security Error: No Credentials Passed");
}
if (userName != MyUser && password != MyPass)
{
throw new SecurityTokenException("security Error: Wrong Credentials Passed");
}
//It works if I do it this way
//if (!(userName == "MyUser" && password == "MyPass"))
//{
// throw new SecurityTokenException("security Error: Wrong Credentials Passed");
//}
}
-
September 28th, 2012, 10:40 AM
#2
Re: WCF Custom User Name Password Validator to read from Database
Something is wrong with the logic. you don't pass the username and password to MyDB.dbo.GetCredentials and seems that it returns all the records which is not a good implementation. The performance will be poor.
Regardless of the performance issue, the variables MyUser and MyPass are overwritten inside the while loop. So if you have multiple records in the database, you're always checking against the last record.
Try to debug and inspect the values before the check : if (userName != MyUser && password != MyPass).
-
September 28th, 2012, 10:45 AM
#3
Re: WCF Custom User Name Password Validator to read from Database
What account is the wcf service running under? Since you are using integrated security to open the database, you'll need to grant the wcf service account access to the database.
-
September 28th, 2012, 12:07 PM
#4
Re: WCF Custom User Name Password Validator to read from Database
Arjay
What account is the wcf service running under? Since you are using integrated security to open the database, you'll need to grant the wcf service account access to the database.
The sql that this code is running will only return one row with a username and password.
Your suggestion makes perfect sense to me. In production, the WCF will be running under a service account, but I am still working in development environment. How can I make the web service work as my windows account? I can access the database using windows authentication.
Thank you.
-
September 28th, 2012, 12:15 PM
#5
Re: WCF Custom User Name Password Validator to read from Database
Originally Posted by VKDD
The sql that this code is running will only return one row with a username and password.
Your suggestion makes perfect sense to me. In production, the WCF will be running under a service account, but I am still working in development environment. How can I make the web service work as my windows account? I can access the database using windows authentication.
Thank you.
How are you hosting the WCF service? Under IIS, in a Windows Service, or something else?
-
September 28th, 2012, 04:17 PM
#6
Re: WCF Custom User Name Password Validator to read from Database
Hosting in IIS using service.svc file.
Thanks.
-
September 28th, 2012, 04:53 PM
#7
Re: WCF Custom User Name Password Validator to read from Database
One approach is http://social.msdn.microsoft.com/For...9-dd1de0a27b2d
Another approach is to add a "NT-Authority\NETWORK SERVICE" as a database user.
Lastly, read up on http://wcfsecurity.codeplex.com/wiki...le=Solution001
-
September 28th, 2012, 08:49 PM
#8
Re: WCF Custom User Name Password Validator to read from Database
Thanks Arjay. That worked perfectly well. I just can't believe it actually works now.
Thank you again.
Tags for this Thread
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
Click Here to Expand Forum to Full Width
|