tags:

views:

950

answers:

4
Q: 

Setting Transport level security on webHttp WCF service

Hello,

I am trying to set transport level security on a webHttp binding WCF service my current config looks like this

 <system.serviceModel>
<client>
  <endpoint binding="webHttpBinding" bindingConfiguration="webHttp"
    contract="PrimeStreamInfoServices.IService1" name="Client" />
</client>
<bindings>
<webHttpBinding>
  <binding name="webHttp" maxBufferPoolSize="1500000"  maxReceivedMessageSize="1500000"  maxBufferSize="1500000">
  <security mode="Transport">
      <transport clientCredentialType="None"

            proxyCredentialType="None"
            realm="string" />
  </security>
  </binding>

</webHttpBinding>
</bindings>
<services>

  <service name="PrimeStreamInfoServices.Service1" behaviorConfiguration="PrimeStreamInfoServices.Service1Behavior">
    <!-- Service Endpoints -->
    <endpoint address="" binding="webHttpBinding" bindingConfiguration="webHttp" contract="PrimeStreamInfoServices.IService1">
      <!-- 
          Upon deployment, the following identity element should be removed or replaced to reflect the 
          identity under which the deployed service runs.  If removed, WCF will infer an appropriate identity 
          automatically.
      -->
    </endpoint>
    <endpoint address="mex" binding="mexHttpBinding" contract="IMetadataExchange"/>
  </service>
</services>
<behaviors>
  <serviceBehaviors>
    <behavior name="PrimeStreamInfoServices.Service1Behavior">

      <!-- To avoid disclosing metadata information, set the value below to false and remove the metadata endpoint above before deployment -->
      <serviceMetadata httpGetEnabled="true"/>
      <!-- To receive exception details in faults for debugging purposes, set the value below to true.  Set to false before deployment to avoid disclosing exception information -->
      <serviceDebug includeExceptionDetailInFaults="false"/>
    </behavior>
  </serviceBehaviors>
</behaviors>
<diagnostics>

  <messageLogging logMalformedMessages="true"  logMessagesAtServiceLevel="true"
    logMessagesAtTransportLevel="true" />

</diagnostics>

however when i run my service i get an exception: Could not find a base address that matches scheme https for the endpoint with binding WebHttpBinding. Registered base address schemes are [http].

I know im missing something, and I have been trying various things I cant figure it out, anyone got some input on what i have to do?

A: 

Yes - switch to HTTPS, with a suitable certificate. Transport security, in the case of HTTP is provided by an SSL channel. You can't have WS* transport security over plain HTTPS

blowdart  2009-07-27 19:55:07
where do i specify that i want HTTPs?
Daniel  2009-07-27 20:08:16
A: 

Ignore my previous answer, I was thinking wsHttpBinding not webHttpBinding.

It is the address that you use to call the service that must start with https.

https://machineName/ServiceName

Shiraz Bhaiji  2009-07-27 20:00:36
Will message encrypt the request during its transport so no packet sniffers can just r ead the plain text?
Daniel  2009-07-27 20:06:53
It encrypts before it gets sent, so a packet sniffer will not be able to see the contents.
Shiraz Bhaiji  2009-07-27 20:14:18
For a description of message security see http://msdn.microsoft.com/en-us/library/ms733137.aspx
Shiraz Bhaiji  2009-07-27 20:16:23
anyway i dont think you can do message for webHttp binding
Daniel  2009-07-27 20:19:31
A: 

Can you try to add a base address (inside the <host> element of your service config) which is https ? Are you adding a (or multiple) base address(es) in code? 

<service name="PrimeStreamInfoServices.Service1" 
         behaviorConfiguration="PrimeStreamInfoServices.Service1Behavior">
   <host>
      <baseAddresses>
         <add baseAddress="https://localhost:8080/YourService.svc" />
      </baseAddresses>
   </host>
   <!-- Service Endpoints -->
   <endpoint ......
</service>

Not 100% sure if that works with the webHttpBinding, but give it a try!

Marc

marc_s  2009-07-27 21:24:48
A: 

Remember that besides the right WCF config, you also need to configure IIS property to enable SSL on it (including setting the right X.509 certificate for SSL). The docs have some decent information on how to do it.

tomasr  2009-07-28 00:16:11

related questions

Encryption in C# Web-Services
How Do You Secure database.yml?
ASP.NET LocationProvider
What do you (or your company) use for wiping a machine?
Can a proxy server cache SSL GETs? If not, would response body encryption suffice?
Java: What is the best way to SFTP a file from a server
How do I call a Flex SWF from a remote domain using Flash (AS3) ?
Best way to store a database password in a startup script / config file?
Using VM to get around VPN restrictions
Best references for secure coding practices in ASP.NET and classic ASP.
Secure Memory Allocator in C++
Resolving Session Fixation in JBoss
Best Practices for securing a REST API / web service
Defensive programming
Personal Linux web server
Block user access to internals of a site using HTTP_REFERER
Is there an Unobtrusive Captcha for web forms?
My website got hacked... What should I do?
What all do I need to escape when sending a (My)SQL query?
How do you disable browser Autocomplete on web form field / input tag?
Best .NET obfuscation tools/strategy
Are there best practices for testing security in an Agile development shop?
What is the best way to avoid SQL injection attacks?
Found a critical bug, but the company doesn't care
PHP Session Security