Bug 4993 - [Behavior]: Allow <serviceCredentials> without user name validator ?
Summary: [Behavior]: Allow <serviceCredentials> without user name validator ?
Status: NEW
Alias: None
Product: Class Libraries
Classification: Mono
Component: WCF assemblies (show other bugs)
Version: unspecified
Hardware: PC Windows
: Normal normal
Target Milestone: Untriaged
Assignee: Bugzilla
Depends on:
Reported: 2012-05-10 05:47 UTC by Eric Tummers
Modified: 2016-11-11 09:42 UTC (History)
6 users (show)

See Also:
Is this bug a regression?: ---
Last known good build:

Solution to reproduce difference in 2.6.7 and 2.10.8 (6.45 KB, application/x-zip-compressed)
2012-05-10 05:47 UTC, Eric Tummers

Description Eric Tummers 2012-05-10 05:47:24 UTC
Created attachment 1847 [details]
Solution to reproduce difference in 2.6.7 and 2.10.8

Basic Authentication for WCF service used to work in mono 2.6.7 but keeps responding HTTP401 in mono 2.10.8.

The attached solution contains a servicehost and client. Run the servicehost in Mono 2.6.7 and it works. Run the servicehost in Mono 2.10.8 and the second response from the service is again a HTTP401 but this time without the [WWW-Authenticate] header and the proxy fails.

Looks simular to https://bugzilla.xamarin.com/show_bug.cgi?id=4255, but I'm not using SOAP.
Comment 1 Zoltan Varga 2012-05-10 18:35:35 UTC
-> wcf.
Comment 2 David 2012-08-09 13:30:10 UTC
We are experiencing the same problem listed here and in bug 4255.  When can we expect a fix for this issue?
Comment 3 Bill Burrell 2012-08-10 12:08:47 UTC
I am waiting for a resolution of this bug as well.  
Comment 4 Martin Baulig 2012-09-19 00:41:01 UTC
Well, I'm actually unable to even run the service host with Mono.

I'll have a look and try to fix both problems.
Comment 5 Martin Baulig 2012-09-19 01:13:28 UTC
Ok, I fixed the first part of the problem (service host not running with Mono; master commit 7bf62cd).

I'm now seeing the 401 error; I'll have a look at that tomorrow.
Comment 6 Martin Baulig 2012-09-19 21:27:25 UTC
After digging around and learning some more WCF internals, I finally found the problem and could - in theory - also fix it.  However, I'm not convinced whether doing so would be a good idea.

The problem is that you do not specify any user name validator in your service.  You pass a user/password pair on the client side, but the server has no idea how to validate that.

You do so by adding the <serviceCredentials> element to you web.config or you can also do it programmatically like this:

			var cred = new System.ServiceModel.Description.ServiceCredentials();
			cred.UserNameAuthentication.UserNamePasswordValidationMode = System.ServiceModel.Security.UserNamePasswordValidationMode.Custom;
			cred.UserNameAuthentication.CustomUserNamePasswordValidator = new MyValidator ();
			host.Description.Behaviors.Add (cred);

then you need to create your validator like this:

	public class MyValidator : System.IdentityModel.UserNamePasswordValidator
		public override void Validate (string userName, string password)
			Console.WriteLine ("VALIDATE: {0} {1}", userName, password);

Mono's implementation checks for this element - see System.SecurityModel.Channels.Http.HttpChannelListener's constructor:

			if (context.BindingParameters.Contains (typeof (ServiceCredentials)))
				SecurityTokenManager = new ServiceCredentialsSecurityTokenManager ((ServiceCredentials) context.BindingParameters [typeof (ServiceCredentials)]);

and then HttpReplyChannel.TryReceiveRequest ('security_token_authenticator' is initialized from the 'SecurityTokenManager' property):

			if (source.Source.AuthenticationScheme != AuthenticationSchemes.Anonymous) {
				if (security_token_authenticator != null)
					// FIXME: use return value?
					try {
						security_token_authenticator.ValidateToken (new UserNameSecurityToken (ctxi.User, ctxi.Password));
					} catch (Exception) {
						ctxi.ReturnUnauthorized ();
				else {
					ctxi.ReturnUnauthorized ();

Or in simple terms: Mono defaults to not allowing the connection if no user name validation method was specified.

This is different from .NET's behavior, but I'm not sure whether it would be a good idea to change that.

It is just too easy to simply set that 'BasicHttpSecurityMode' flag on your ServiceHost and forget about the validator, thinking that you're protected when in fact you're not.

I didn't check what happens if you put some .htaccess into the folder or use traditional (non-WCF) authentication settings in your web.config.

Note You need to log in before you can comment on or make changes to this bug.