Bug 4993 - [Behavior]: Allow <serviceCredentials> without user name validator ?
Summary: [Behavior]: Allow <serviceCredentials> without user name validator ?
Status: NEW
Alias: None
Product: Class Libraries
Classification: Mono
Component: WCF assemblies ()
Version: unspecified
Hardware: PC Windows
: Normal normal
Target Milestone: Untriaged
Assignee: Bugzilla
Depends on:
Reported: 2012-05-10 05:47 UTC by Eric Tummers
Modified: 2016-11-11 09:42 UTC (History)
6 users (show)

Is this bug a regression?: ---
Last known good build:

Solution to reproduce difference in 2.6.7 and 2.10.8 (6.45 KB, application/x-zip-compressed)
2012-05-10 05:47 UTC, Eric Tummers

Notice (2018-05-24): bugzilla.xamarin.com is now in read-only mode.

Please join us on Visual Studio Developer Community and in the Xamarin and Mono organizations on GitHub to continue tracking issues. Bugzilla will remain available for reference in read-only mode. We will continue to work on open Bugzilla bugs, copy them to the new locations as needed for follow-up, and add the new items under Related Links.

Our sincere thanks to everyone who has contributed on this bug tracker over the years. Thanks also for your understanding as we make these adjustments and improvements for the future.

Please create a new report for Bug 4993 on GitHub or Developer Community if you have new information to add and do not yet see a matching new report.

If the latest results still closely match this report, you can use the original description:

  • Export the original title and description: GitHub Markdown or Developer Community HTML
  • Copy the title and description into the new report. Adjust them to be up-to-date if needed.
  • Add your new information.

In special cases on GitHub you might also want the comments: GitHub Markdown with public comments

Related Links:

Description Eric Tummers 2012-05-10 05:47:24 UTC
Created attachment 1847 [details]
Solution to reproduce difference in 2.6.7 and 2.10.8

Basic Authentication for WCF service used to work in mono 2.6.7 but keeps responding HTTP401 in mono 2.10.8.

The attached solution contains a servicehost and client. Run the servicehost in Mono 2.6.7 and it works. Run the servicehost in Mono 2.10.8 and the second response from the service is again a HTTP401 but this time without the [WWW-Authenticate] header and the proxy fails.

Looks simular to https://bugzilla.xamarin.com/show_bug.cgi?id=4255, but I'm not using SOAP.
Comment 1 Zoltan Varga 2012-05-10 18:35:35 UTC
-> wcf.
Comment 2 David 2012-08-09 13:30:10 UTC
We are experiencing the same problem listed here and in bug 4255.  When can we expect a fix for this issue?
Comment 3 Bill Burrell 2012-08-10 12:08:47 UTC
I am waiting for a resolution of this bug as well.  
Comment 4 Martin Baulig 2012-09-19 00:41:01 UTC
Well, I'm actually unable to even run the service host with Mono.

I'll have a look and try to fix both problems.
Comment 5 Martin Baulig 2012-09-19 01:13:28 UTC
Ok, I fixed the first part of the problem (service host not running with Mono; master commit 7bf62cd).

I'm now seeing the 401 error; I'll have a look at that tomorrow.
Comment 6 Martin Baulig 2012-09-19 21:27:25 UTC
After digging around and learning some more WCF internals, I finally found the problem and could - in theory - also fix it.  However, I'm not convinced whether doing so would be a good idea.

The problem is that you do not specify any user name validator in your service.  You pass a user/password pair on the client side, but the server has no idea how to validate that.

You do so by adding the <serviceCredentials> element to you web.config or you can also do it programmatically like this:

			var cred = new System.ServiceModel.Description.ServiceCredentials();
			cred.UserNameAuthentication.UserNamePasswordValidationMode = System.ServiceModel.Security.UserNamePasswordValidationMode.Custom;
			cred.UserNameAuthentication.CustomUserNamePasswordValidator = new MyValidator ();
			host.Description.Behaviors.Add (cred);

then you need to create your validator like this:

	public class MyValidator : System.IdentityModel.UserNamePasswordValidator
		public override void Validate (string userName, string password)
			Console.WriteLine ("VALIDATE: {0} {1}", userName, password);

Mono's implementation checks for this element - see System.SecurityModel.Channels.Http.HttpChannelListener's constructor:

			if (context.BindingParameters.Contains (typeof (ServiceCredentials)))
				SecurityTokenManager = new ServiceCredentialsSecurityTokenManager ((ServiceCredentials) context.BindingParameters [typeof (ServiceCredentials)]);

and then HttpReplyChannel.TryReceiveRequest ('security_token_authenticator' is initialized from the 'SecurityTokenManager' property):

			if (source.Source.AuthenticationScheme != AuthenticationSchemes.Anonymous) {
				if (security_token_authenticator != null)
					// FIXME: use return value?
					try {
						security_token_authenticator.ValidateToken (new UserNameSecurityToken (ctxi.User, ctxi.Password));
					} catch (Exception) {
						ctxi.ReturnUnauthorized ();
				else {
					ctxi.ReturnUnauthorized ();

Or in simple terms: Mono defaults to not allowing the connection if no user name validation method was specified.

This is different from .NET's behavior, but I'm not sure whether it would be a good idea to change that.

It is just too easy to simply set that 'BasicHttpSecurityMode' flag on your ServiceHost and forget about the validator, thinking that you're protected when in fact you're not.

I didn't check what happens if you put some .htaccess into the folder or use traditional (non-WCF) authentication settings in your web.config.