Nov
25

Wcf over secure transport

alkampfer on November 25th, 2009

In some older posts, I dealt with wcf configuration to manage authentication of a service with the asp.net membership provider.

Now I need to modify configuration, because in another project, all the site is forced over https, and the configuration I used in the other project cannot be used anymore. In older post in fact, I explained how to send credentials over http with message security, using self issued certificates. Now I have transport security, so I can avoid the need to distribute certificates to people that will use the service.

I need two different configuration, the first is for unauthenticated services, I’ll use for services that must be used by everyone with no authentication, but I need also another configuration that permits me to secure the service through asp.net membership and role management.

Let’s start with the first configuration, first of all I configure IIS7 to use both https binding and http binding, and then I can configure the endpoint on the server to use https

<service behaviorConfiguration="BasicHttpsWithoutAuthBehavior"
            name="MyProject.DataService.Concrete.CustomerService">
    <endpoint address="https://mydomain.com/customerservice.svc"
                 binding="basicHttpBinding"
                 name="CustomerService"
                 contract="MyProject.DataService.ICustomerService"
                 bindingConfiguration="SecureTransport">
        <identity>
            <dns value="mydomain.com" />
        </identity>
    </endpoint>
    <endpoint address="mex" binding="mexHttpsBinding" contract="IMetadataExchange" />
</service>

In this configuration there are several thing to notice, first of all the endpoint address begins with https, then I use basicHttpBinding, because I do not need credentials to be sent, and finally to have metadataExchange I need to specify mexHttpsBinding. This last option is needed, because if you use the standard mexHttpBinding you will end with the error “Could not find a base address that matches scheme http for the endpoint with binding MetadataExchangeHttpBinding. Registered base address schemes are [https]”

Now here is the BindingConfiguration for this service:

<basicHttpBinding>
    <binding name="SecureTransport">
        <security mode="Transport">
            <transport clientCredentialType="None"/>
        </security>
    </binding>
</basicHttpBinding>

I’ve simply specified that the security has the mode=”Transport” and the transport does not use clientCredentialType. If you do not specify “none” in this value, the service will expect that IIS site is configured to use windows credential as default.

The client should be configured in this way.

<binding name="HttpsWithNoCredentials" closeTimeout="00:01:00" openTimeout="00:01:00"
receiveTimeout="00:10:00" sendTimeout="00:01:00" allowCookies="false"
bypassProxyOnLocal="false" hostNameComparisonMode="StrongWildcard"
maxBufferSize="65536" maxBufferPoolSize="524288" maxReceivedMessageSize="65536"
messageEncoding="Text" textEncoding="utf-8" transferMode="Buffered"
useDefaultWebProxy="true">
			<readerQuotas maxDepth="32" maxStringContentLength="8192" maxArrayLength="16384"
			 maxBytesPerRead="4096" maxNameTableCharCount="16384" />
			<security mode="Transport">
				<transport clientCredentialType="None" proxyCredentialType="None"
				 realm="">
					<extendedProtectionPolicy policyEnforcement="Never" />
				</transport>
				<message clientCredentialType="UserName" algorithmSuite="Default" />
			</security>
		</binding>
	</basicHttpBinding>

This is quite complicated configuration, but the relevant part is that the security is mode=”Transport”, thus specifying that https will be used. Then each endpoint that will does not need credentials can be specified in this way

<endpoint
	address="https://mydomain.com/CustomerService.svc"
	binding="basicHttpBinding"
	bindingConfiguration="HttpsWithNoCredentials"
	contract="MyProject.DataService.ICustomerService"
	name="CustomerServiceIoC" />

With this configuration you can secure wcf calls simply using the same certificate used for the https site, and since the security is granted by the transport, you does not need to give certificates to the client.

The configuration with client credentials over https in the next post.

Alk.

Tags:

kick it on DotNetKicks.com

Tags: ,

.NET framework
Subscribe
Delicious
digg
technorati
google

3 Responses to “Wcf over secure transport”

  1. Igor A.
    November 25th, 2009 at 3:39 pm

    Great Article…I can’t wait before you publish the next article.

  2. Jordy
    December 22nd, 2009 at 8:21 pm

    I’ve got a problem with https – http communication on wcf.
    I’ve got a working silverlight (SL 3) application with a wcf web service, that’s all working fine with http-communication. Now there comes a complicated situation:
    – i want to access the application from an url with “https://..”, but my site is still configured as http (and i need to keep it like that), how can i workaround this? any solution?

  3. alkampfer
    December 23rd, 2009 at 11:18 am

    You can create two different binding for the server, one with basic and another with https, so the client can choose witch of them to use.

    When I use https I usually move everything on https, because I use services that needs login, so https permits me to send credential with only transport security, and I can avoid managing certificates.

    I already tested in my local machine (windows 7) to create a web config with a service that response both to http and to https, but I decided that would be really simplier keeping only the https configuration.

    Why you need to keep the http endpoint?

    Alk.