If you create a BasicHttpBinding endpoint in WCF, by default neither messages or transportation is secure. Anyone snooping on the wire can read along. An easy way to secure communication over HTTP is by using Secure Sockets Layer (SSL). This provides point-to-point security, giving it a secure pipe at the transport layer.
If you want to use a BasicHttpBinding over HTTPS, you need a SSL Certificate signed by a certification authority. For development and testing purposes you can provide one yourself. First create and install a temporary certificate on your local machine. If you don’t know how, be sure to read this tutorial first. After that, configuring your service is a breeze.
Shown here is the app.config of the EchoService. A custom BasicHttpBinding was created with security mode “Transport”. An endpoint is created from that custom binding to the SSL port with our certificate bound to it. The identity section of the service has a certificate reference to the thumbprint of the certificate on our local machine.
<?xml version="1.0"?> <configuration> <system.serviceModel> <bindings> <basicHttpBinding> <binding name="BasicSecure"> <security mode="Transport" /> </binding> </basicHttpBinding> </bindings> <services> <service name="WcfServiceLibrary.Echo.EchoService"> <endpoint address="https://localhost:8888/EchoService/" binding="basicHttpBinding" bindingConfiguration="BasicSecure" contract="WcfServiceLibrary.Echo.IEchoService"> <identity> <certificateReference storeName="My" storeLocation="LocalMachine" x509FindType="FindByThumbprint" findValue="f1b47a5781837112b4848e61de340e4270b8ca06" /> </identity> </endpoint> <host> <baseAddresses> <add baseAddress="http://localhost:8080/" /> </baseAddresses> </host> </service> </services> <behaviors> <serviceBehaviors> <behavior name=""> <serviceMetadata httpGetEnabled="true"/> </behavior> </serviceBehaviors> </behaviors> </system.serviceModel> <startup> <supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.0" /> </startup> </configuration>
Settings for the certificate for the service in the Service Configuration Editor below.
On the client side, since we do not ask for any client credentials, a service reference update generates the proper client configuration in app.config. The communication of messages between the client and the service is now secured at the transport level with SSL.
<?xml version="1.0" encoding="utf-8" ?> <configuration> <system.serviceModel> <bindings> <basicHttpBinding> <binding name="BasicHttpBinding_IEchoService" closeTimeout="00:01:00" openTimeout="00:01:00" receiveTimeout="00:10:00" sendTimeout="00:01:00" allowCookies="false" bypassProxyOnLocal="false" hostNameComparisonMode="StrongWildcard" maxBufferSize="65536" maxBufferPoolSize="524288" maxReceivedMessageSize="65536" messageEncoding="Text" textEncoding="utf-8" transferMode="Buffered" useDefaultWebProxy="true"> <readerQuotas maxDepth="32" maxStringContentLength="8192" maxArrayLength="16384" maxBytesPerRead="4096" maxNameTableCharCount="16384" /> <security mode="Transport"> <transport clientCredentialType="None" proxyCredentialType="None" realm="" /> <message clientCredentialType="UserName" algorithmSuite="Default" /> </security> </binding> </basicHttpBinding> </bindings> <client> <endpoint address="https://localhost:8888/EchoService/" binding="basicHttpBinding" bindingConfiguration="BasicHttpBinding_IEchoService" contract="EchoServiceReference.IEchoService" name="BasicHttpBinding_IEchoService" /> </client> </system.serviceModel> </configuration>
Try as I might, I couldn’t get this config to work. The WCF client balks at compile time with –
“The provided URI scheme ‘https’ is invalid; expected ‘http’.”
I’ve read elsewhere that WCF BasicHttpBinding() doesn’t support https and that WSHttpBinding() is mandatory — I’d love to know if this is actually the case as PHP Soap doesn’t play nicely with the latter, it would be great to get BasicHttoBinding() playing nicely with https!
WsHttpBinding doesn’t require certificates, but has message encryption enabled by default as far as I know.
BasicHttpBinding doesn’t set transport security by default, but it does support https as shown in the example. I was curious myself, but I must admit it took me some time to figure it out. My guess is that your port isn’t properly bound to your certificate. That gave me the most headaches.
Hope this helps
Thanks for the reply… I’m making steady headway, although it is a hard old slog. I stumbled across a post on stackoverflow which has at last switched my client into https mode. This is the key for anyone else looking for the same:
Dim b As New BasicHttpBinding()
b.Security.Mode = BasicHttpSecurityMode.Transport
b.Security.Transport.ClientCredentialType = HttpClientCredentialType.Windows
My app.config settings to do the same non-programatically are being ignored, I have no idea why at this stage; probably something as simple as typo, but I can’t see it.
As with the ignored app.config I’m kinda puzzled myself. These things can nag you for hours.
I hope coding your config setting doesn’t impact the flexibility of your code.
Glad it works now.