WCF Custom Authentication for login not using username/password

MBursill posted on Friday, June 05, 2009

I'd love to use custom authentication for my WCF Host, but I'd also like to keep from diving into the horrific depths of WCF security; I have enough grey hair as it is.

The app I'm developing is required to have three unique ways for users to log in. Username/password's, pin code (no other form of credential to go with it, just a six digit pin), and fingerprint. The fingerprint also does not have any other credential, just an object containing fingerprint data (authenticated by a 3rd party SDK).

Each method of login grants access in a different way. I realise a pin code is not very secure, but the amount of access granted by that situation is very limited.

I've been reading chapter 21 of the Expert C# 2008 Business Objects book, and have already started down the path of making a test certificate using the makecert tool. Before I get too carried away with this solution, I'd like to make sure what I'm trying to do is even possible. Can CSLA.NET with WCF be used to authenticate the non username/password scenarios?

Thanks.

-Mike.

RockfordLhotka replied on Sunday, June 07, 2009

Are you using the data portal, or are you creating an XML service?

If you are using the data portal, I'd recommend using SSL (https) and a custom principal/identity.

If you are creating an XML service, what you are doing really has nothing to do with CSLA at all. The concepts I talk about with makecert and so forth are all about normal WCF programming.

The only nod CSLA gives toward this is the PrincipalCache class I created to help overcome an issue I encountered when creating my custom validator. Arguably PrincipalCache shouldn't even be in CSLA, but it was a convenient place for me to put it :)