如何使用端点的 TransportWithMessageCredential 安全模式对 wsdl 进行身份验证？

Question

I have a WCF endpoint that exposes a API with a basicHttpBinding . This biding is set to use security mode TransportWithMessageCredentialand UserName for clientCredentialType .

Because security is implemented at message level, at the WCF, the IIS needs to allow anonymous access. And so, wsdl can be obtain without providing any credentials.

How to force authentication to get the service metadata?

Here the current service configuration looks like (from web.config)

<system.serviceModel> 
  <bindings>
    <basicHttpBinding>
      <binding name="secure">
        <security mode="TransportWithMessageCredential">
          <message clientCredentialType="UserName" />
        </security>   
      </binding>     
      </basicHttpBinding>
  </bindings>
  <services>
    <service behaviorConfiguration="secure" name="someProject.MyService">
      <endpoint  binding="basicHttpBinding" contract="someProject.IService" bindingConfiguration="secure"  />   
    </service>
  </services>
  <behaviors>    
    <serviceBehaviors>
        <behavior name="secure">          
        <serviceMetadata httpsGetEnabled="true"  />
      </behavior>
    </serviceBehaviors>
  </behaviors>
</system.serviceModel>

I try the obvious, to set a specific binding for the metatada, by using service behavior configuration:

<behavior name="secure">          
   <serviceMetadata httpsGetEnabled="true" httpsGetBinding="basicHttpBinding" httpsGetBindingConfiguration="transportSecure" />
</behavior>

//and add the new binding    
  <basicHttpBinding>
      <binding name="transportSecure">
        <security mode="Transport">
          <message clientCredentialType="UserName" />
        </security>
      </binding>
    </basicHttpBinding>

But it is not supported. It throws this:

MessageVersion 'Soap11 ( http://schemas.xmlsoap.org/soap/envelope/ ) AddressingNone ( http://schemas.microsoft.com/ws/2005/05/addressing/none )' is not supported in this scenario. Only MessageVersion 'EnvelopeNone ( http://schemas.microsoft.com/ws/2005/05/envelope/none ) AddressingNone ( http://schemas.microsoft.com/ws/2005/05/addressing/none )' is supported.

I don't understand this error or how to get around it.

Answer 1

Normally we will not disclose our metadata in the production environment,But if you want to enable metadata, we can use https binding to protect the metadata.

1.Configure a port with an appropriate X.509 certificate. The certificate must come from a trusted authority, and it must have an intended use of "Service Authorization." You must use the HttpCfg.exe tool to attach the certificate to the port.

2.Create a new instance of the ServiceMetadataBehavior class.

3.Set the HttpsGetEnabled property of the ServiceMetadataBehavior class to true.

4.Set the HttpsGetUrl property to an appropriate URL. Note that if you specify an absolute address, the URL must begin with the scheme https://. If you specify a relative address, you must supply an HTTPS base address for your service host. If this property is not set, the default address is "", or directly at the HTTPS base address for the service.

5.Add the instance to the behaviors collection that the Behaviors property of the ServiceDescription class returns, as shown in the following code.

ServiceMetadataBehavior sb = new ServiceMetadataBehavior();
sb.HttpsGetEnabled = true;
sb.HttpsGetUrl = new Uri("https://myMachineName:8036/myEndpoint");
myServiceHost.Description.Behaviors.Add(sb);

myServiceHost.Open();

This is authentication enabled on WCF, you can also enable windows authentication on IIS, both methods can protect metadata.

But in the production environment, I do not recommend that you enable metadata, because this will lead to the risk of metadata leakage.The call of WCF service can also be called through the channel factory. In this case, we can call WCF service without knowing the metadata of the server.

For more information on how to protect metadata, you can refer to this link:

https://docs.microsoft.com/en-us/dotnet/framework/wcf/feature-details/how-to-secure-metadata-endpoints?redirectedfrom=MSDN