Allow nonencrypted response from server using WCF

Question

I'm connecting to a webservice using WCF. I can authenticate on the server correctly, send my request, and get a signed response back.

The only thing is that the body of the response isn't encrypted. Ok, I'm fine with that. It's not my service and not my call how they do things, I'm just writing a client.

The issue is that WCF keeps giving me a MessageSecurityException stating that the'Body' required part of the response message wasn't encrypted. Where in my app.config can I specify that I couldn't give two flying craps that it isn't encrypted and it should be let through and read?

For the record, I'm using customBinding.

Answer 1

The protection level (which defaults to "EncryptAndSign" in WCF) is set on the service contract, e.g. your interface that defines the service methods:

[ServiceContract(Name="YourServiceContract", 
                 Namespace="http://www.yourdomain.com/2009/09/WCF", 
                 ProtectionLevel=ProtectionLevel.None)]
public interface IYourService
{
    string SayHello(string inputString);
}

You can set it to "ProtectionLevel.EncryptAndSign" (which is the default), "Sign" or "None".

However, you cannot set it to be one thing for the request and another for the response - the protection level applies to both directions of your WCF communication.

Check out the Fundamentals of WCF Security which explains these topics (this one in particular on page 2).

Marc

Answer 2

There is a way to send a secured message and permit the response to be unsecured. However it requires a hotfix you need to request from Microsoft technical support. This has saved me when workign with a goverment service that required recured requests but send unsecured faults back. See here for more information on the hotfix.