Tuesday, 10 July 2018

handle CORS within WCF and windows authentication

I have implemented a self-hosted WCF Rest Service and an according Angular CLI Client. I ran into troubles with CORS but were able to solve them when HttpClientCredentialType.None is set within the WebHttpBinding.
The problem is, that I need to use HttpClientCredentialType.Windows, because I have to know the identity of the Windows user using the system.
Here is the used binding:

new WebHttpBinding
{
    MaxBufferSize = int.MaxValue,
    MaxBufferPoolSize = 524288,
    MaxReceivedMessageSize = int.MaxValue,                
    OpenTimeout = TimeSpan.FromMinutes(1),
    SendTimeout = TimeSpan.FromMinutes(1),
    ReceiveTimeout = TimeSpan.FromMinutes(10),
    CloseTimeout = TimeSpan.FromMinutes(1),
    ReaderQuotas =
    {
        MaxStringContentLength = int.MaxValue,
        MaxArrayLength = int.MaxValue,
        MaxDepth = int.MaxValue,
        MaxNameTableCharCount = int.MaxValue
    },
    Security =
    {
        Mode = WebHttpSecurityMode.Transport,
        Transport = { ClientCredentialType = HttpClientCredentialType.Windows }
        //Transport = { ClientCredentialType = HttpClientCredentialType.None}
    }
};

But now the CORS-Options call is rejected with HttpStatus 401 Unauthorized, because there is no authentication header in it. So the whole call is rejected (what is right...in theory).

Of course I already added all necessary headers. As said, it works with None authentication.

WebOperationContext.Current.OutgoingResponse.Headers.Add("Access-Control-Allow-Origin", "http://localhost:4200");
WebOperationContext.Current.OutgoingResponse.Headers.Add("Access-Control-Allow-Methods", "GET, POST, OPTIONS");
WebOperationContext.Current.OutgoingResponse.Headers.Add("Access-Control-Allow-Headers", "Content-Type, Accept, Id, Origin, Authorization");
WebOperationContext.Current.OutgoingResponse.Headers.Add("Access-Control-Allow-Credentials", "true");

So I see three possibilities to solve my problem.

  1. Get the CORS-Options call in my Angular client somehow to pass my Windows Credentials.
  2. Get the WCF service to ignore the Authentication in CORS-Options call.
  3. Set Authorization back to None and pass my Windows Credentials in some other way (without forcing the user to enter his credentials).

It also works, even with Windows Authentication, when I use --disable-web-security in Chrome Browser. But for me, this is no solution for a production system.

Maybe someone has any ideas or even a solution to my problem.



from handle CORS within WCF and windows authentication
Posted by at
Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)