tags:

views:

331

answers:

3
+1  Q: 

Is it possible to hack a WCF client to pass message credentials w/out SSL?

I wrote a custom WCF binding a while back to allow my load balanced farm to host services via IIS. The reason for the custom binding was that each server didn't have SSL but needed the ability to accept a client credential of username + password. The proxy in front of this farm has SSL so the traffic would be encrypted outside the firewall. This custom binding works fine but now I'm at the point where I need to watch the traffic from my machine locally and wanted to do this w/out SSL in the mix.

The issue is this - on the .net client if I set my security mode = "TransportWithMessageCredential" I must have SSL else I get the fun error "invalid scheme, expected https"

Is it possible to write something custom for the client to "ignore" that SSL is missing but still let me pass the username + password via the SOAP header?

A: 

I assume, on your custom binding, that you also get an error if you just use security mode="Message"? A custom binding wasn't really necessary, since (if I'm not mistaken) you can use the wsHttpBinding with security mode="Message" (not requiring SSL).

Another alternative is to just generate an SSL certificate yourself, install it in IIS, and implement a trust all certificate policy in your calling code, but this is generally frowned upon (as is sending user names and passwords over an insecure channel).

A third option is to change your contract's operations to accept user names and passwords (or some sort of token) as a parameter, or change your data contracts so you can send the information along with whatever object you may already be sending.

Langdon  2009-11-03 15:17:20
+2  A: 

Yup, I wrote a blog post about this a while back called "How To: SSL Passthrough with WCF --or-- TransportWithMessageCredential over plain HTTP".

The short of it is that you need to create your own HttpTransportBindingElement subclass which "lies" about providing security.

Drew Marsh  2009-11-03 15:24:08
Drew I'm starting to think I should just take the WCF apprentice program under your guidance! Thanks for all the help (as you answered my last 3 questions on WCF)
Toran Billups  2009-11-03 16:05:44
Hahah, just glad I can save someone else some pain of figuring this stuff out. ;)
Drew Marsh  2009-11-03 16:22:19
+2  A: 

There is a Hotfix for .net 3.5 sp1 that adds a AllowInsecureTransport property to the SecurityBindingElement. This will also be in .net 4 beta 2.

Aaron Fischer  2010-03-23 18:56:35

related questions

Dynamic programming with WCF
WCF Service Returning "Method Not Allowed"
Exceptions in Web Services
What SPN do I need to set for a net.tcp service?
How do I unit test a WCF service?
Best practices for versioning your services with WCF?
Lazy Loading with a WCF Service Domain Model?
How many ServiceContracts can a WCF Service have?
How can I authenticate using client credentials in WCF just once?
WCF - Domain Objects and IExtensibleDataObject
InvalidOperationException while creating wcf web service instance
Closing and Disposing a WCF Service
What WCF best practices do you follow in object model design?
WCF push to client through firewall?
Loading System.ServiceModel configuration section using ConfigurationManager
I would like some tips for debugging WCF Web Service exceptions
What's the best way to authenticate over WCF?
Good Reads for Distributed Systems
.Net - Returning DataTables in WCF
What is the easiest way to add compression to WCF in Silverlight?
WCF Backward Compatibility Issue
Best Practices for securing a REST API / web service
Web Services -- WCF vs. Standard
C# WCF Service - Backward compatibility issue
WCF - High availability