stackoom
  简体   繁体   中英

Configurating WCF service with HTTPS

 原文  2013-12-20 09:11:47       c#/ wcf/ iis/ ssl/ https

Question

I am developing a WCF service that has to be run on HTTPS with UserName credentials and have found the following configuration working in my test solution running on IIS;

Server config: 

<?xml version="1.0"?>
<configuration>

  <system.web>
    <compilation debug="true" targetFramework="4.5" />
    <httpRuntime targetFramework="4.5" />
    <customErrors mode="Off" />
  </system.web>

  <system.serviceModel>

    <behaviors>
      <serviceBehaviors>
        <behavior name="Behavior1">
          <serviceMetadata httpsGetEnabled="true" />
          <serviceDebug includeExceptionDetailInFaults="false" />
          <serviceCredentials>
            <userNameAuthentication userNamePasswordValidationMode="Custom" customUserNamePasswordValidatorType="Service.UserNamePassValidator, Service" />
          </serviceCredentials>
        </behavior>
      </serviceBehaviors>
    </behaviors>

    <bindings>
      <wsHttpBinding>
        <binding name="Binding1">
          <security mode="TransportWithMessageCredential">
            <transport clientCredentialType="None" />
            <message clientCredentialType="UserName" />
          </security>
        </binding>
      </wsHttpBinding>
    </bindings>

    <services>
      <service behaviorConfiguration="Behavior1" name="Service.Service">
        <host>
          <baseAddresses>
            <add baseAddress="https://localhost/" />
          </baseAddresses>
        </host>
        <endpoint address="" binding="wsHttpBinding" bindingConfiguration="Binding1" contract="Service.IService" />
        <endpoint address="mex" binding="mexHttpsBinding" contract="IMetadataExchange" />
      </service>
    </services>

  </system.serviceModel>

</configuration>

Client config: 

<?xml version="1.0" encoding="utf-8" ?>
<configuration>

  <system.serviceModel>

    <bindings>
      <wsHttpBinding>
        <binding name="WSHttpBinding_IService">
          <security mode="TransportWithMessageCredential">
            <transport clientCredentialType="None" />
            <message clientCredentialType="UserName" />
          </security>
        </binding>
      </wsHttpBinding>
    </bindings>

    <client>
      <endpoint address="https://localhost:44303/UsernamePasswordService.svc"
        binding="wsHttpBinding" bindingConfiguration="WSHttpBinding_IService"
        contract="ServiceReference1.IService" name="WSHttpBinding_IService" />
    </client>

  </system.serviceModel>
</configuration>

The client in my scenario is a winforms application.

I am very new to configurating this, and just wanted to confirm if this is a valid/good setup for HTTPS (SSL) with UserName credentials?

Since I am using a self-signed certificate, I have to bypass the validation of the certificate on the client side and thus I dont feel like I can see clearly how this will work with a valid certificate.

The way I imagined it would work is that the server passes a client certificate to the client when starting communication and then the client encrypts all the traffic it sends to the server with the client certificate. This traffic is then decrypted with the server certificate on the server end.

But is this the way it will work? The way it is configurated now, the certificate is specified on the IIS listening port only, so will it generate a certificate for the client based on the server certificate for each request? Or will the traffic from the client go unencrypted?

I tried running fiddler on my requests and enabled decrypting HTTPS, and noticed I could read the username and password in plain text in the XML. Is this because fiddler does some magic to read through my certificate encryption or is the message sent not encrypted at all?

In that case, do I have to encrypt and decrypt the data myself?

I do not want to have to install a certificate on the client.

1 answers

solution1
 0 ACCPTED  2013-12-20 11:50:20

The short answer to your first question is, in my opinion, yes - HTTPS (SSL) with UserName credentials can be a valid security configuration. Using the WSHttpBinding implements the WS-Security specification and provides interoperability with services that implement the WS-* specifications.

Reference: http://msdn.microsoft.com/en-us/library/ms731172(v=vs.110).aspx

In order to provide any further assessment, one would need to compare the security of that solution against the requirements of your system.

Honestly, I did not fully understand the rest of the question, although I gather you have concerns about using the client implication of using a self-signed certificate. That said, the following links (at least one) should provide some guidance:

http://msdn.microsoft.com/en-us/library/ff648840.aspx
http://www.codeproject.com/Articles/570539/HTTPSplusCommunicationplusinplusWCFplususingplusSe
http://blog.adnanmasood.com/2010/04/29/step-by-step-guide-for-authenticating-wcf-service-with-username-and-password-over-ssl/

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question WCF consume Https service HTTPS on basicHttpBinding for WCF Service How to consume https wcf service? Host WCF Windows Service on HTTPS Multiple HTTPS endpoints for WCF service WCF web service is not working with https How to setup WCF service to run on HTTPs How to make a WCF Service work with https? Wcf service implementing Json and https only cannot create a wcf web service with https endpoint
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM