tags:

views:

571

answers:

3
+2  Q: 

What is simplest WCF/SOAP configuration?

We have a WCF service and I use wsHttpBinding with transport security and custom authentication.

I recently discovered that secure sessions are on by default (see this SO question).

I'm surprised that such a feature is on by default. I thought that by default I'd get the simplest configuration and that additional features would be on an opt-in basis.

I want to start with the simplest possible feature set and then decide to opt-in for more features.

So my question is: What are the other features that are enabled by default and how can I turn them off?

A: 

The listing of all the possible attributes of wsHttpBinding are available - you could go through them and decide which ones you'd like to explicitly set based on your endpoint requirements.

Mike Atlas  2009-11-11 23:56:01
+1  A: 

wsHttpBinding is a very complex binding built for layering lots of WS-* goo on top of. BasicHttpBinding might be a better place to start- it's just simple SOAP over HTTP- sounds more like what you're after. It's very interoperable, but you can still turn on a lot of WS-* behavior later.

nitzmahone  2009-11-12 04:01:08
I need SOAP over HTTPS with custom authentication. Can I implement that with basicHttp?
Sly  2009-11-12 20:40:10
Yep- that's exactly what we do. Our auth stuff is built as a behavior that installs a messageinspector to validate.
nitzmahone  2009-11-13 03:00:29
@nitzmahone: Would your authentication mechanism work out-of-the-box with any SOAP compliant libraries? Wouldn't the client have to have custom code to pass the credentials to your app? If not, can you please give a little more details on the the authentication process takes place? Thanks a lot
Sly  2009-11-14 18:16:39
Probably not- other than WS-Security or HTTP Basic, there's not a lot of "standard" authentication over SOAP out there. You can layer WS-Security on basicHttpBinding, but you haven't specified what kind of authentication you're after. Most SOAP packages make it really easy to add a custom SOAP header to all outgoing requests. We're lucky enough to usually be .NET on both ends, so it's less a concern for us (we do have a corresponding client behavior to do the header injection).
nitzmahone  2009-11-14 19:22:01
Ok, thanks for the information. I guess I'll stick to wsHttpBingin that. Anyways, I think I got the minimal WCF wsHttpBinding configuration figured out now - at least in terms of security settings.
Sly  2009-11-16 13:58:42
+3  A: 

It depends :-) as per usual.

Do you want to have an externally facing service, that users from outside your network can call into? If so, then use either the basicHttpBinding which is basically the same as the legacy ASMX web services (SOAP 1.1, really basic, hardly any security and no reliability features). Or use wsHttpBinding (SOAP 1.2, WS-* stuff) from the beginning, but turn off all the features at first.

With the basicHttpBinding, there's no a whole lot to "turn on" later on - you're kinda stuck and need to e.g. switch to wsHttpBinding or create your own custom binding beyond that basic features. wsHttpBinding is pretty heavy-weight, but most of those features like security, reliability etc. can be turn off or back on later. BUT: not every client app out there can connect to wsHttpBinding endpoints.

OR: use several endpoints! One really simple one using basicHttp for "legacy" clients, one more advanced with wsHttpBinding - that's the beauty of a WCF service - you write the service code once and expose it on a gazillion different endpoints, as your clients need them!

If you're internal, inside the company firewall the choice is easy - use netTcpBinding - it's fast (since it uses binary instead of text encoding) and has lots of features that can be tweaked.

UPDATE: since it's an externally facing service, and all kinds of clients might connect, I would use the basicHttpBinding with username/password security:

  <system.serviceModel>
    <bindings>
      <wsHttpBinding>
        <binding name="wsMsgSec">
          <security mode="Message">
            <message clientCredentialType="None" establishSecurityContext="false" negotiateServiceCredential="false"/>
          </security>
          <reliableSession enabled="false"/>
        </binding>
      </wsHttpBinding>
    </bindings>
    <services>
      <service name="YourService">
        <endpoint
            address=""
            binding="wsHttpBinding"
            bindingConfiguration="wsMsgSec"
            contract="IYourServiceContract" />
      </service>
    </services>

  </system.serviceModel>

For the "clientCredentialType" on the message security tag, you could also use "UserName" - in that case, you would have to set up some infrastructure (e.g. the ASP.NET membership provider system) in order to validate the incoming username/password credentials.

Also, definitely check out the WCF Security Guidance which has step-by-step explanations for a plethora of different security scenarios, and what to do for each in web.config and your WCF config.

marc_s  2009-11-12 06:30:50
@marc_s: Thank you for your answer. It is an externally facing service so I need security. Our customers and partners invoke the services directly. A sample config file with every feature turned off or set to their minimum (except security) would be very helpful.
Sly  2009-11-12 12:55:16
@marc_s: Thanks for the update. You wrote "I would use the basicHttpBinding" but your sample is with wsHttpBinding. I guess you meant "I would use the basicHttpBinding". Correct?
Sly  2009-11-12 20:27:58
Oups...I made the same mistake...I guess you meant "I would use the wsHttpBinding". Correct?
Sly  2009-11-12 20:29:27
You chose the set negotiateServiceCredential to False. I'm trying to make up my mind about whether I should set it to false (it's true by default and I have the default). I currently use clientCredentialType="UserName". My understanding is that if I set negotiateServiceCredential to False in that context, then my clients will have to manually install my certificate before they can invoke my services. At a first glance I see that as a something that would make my services harder to call. So I don't see the benefits of setting negotiateServiceCredential to False. Am I missing something here?
Sly  2009-11-12 20:51:34
Yes, I tried to follow your "turn off everything" mantra :-) But you're right - this requires an out-of-band step before a client call actually call your service - get the service certificate and installing it properly.
marc_s  2009-11-12 21:20:14

related questions

Dynamic programming with WCF
WCF Service Returning "Method Not Allowed"
Exceptions in Web Services
What SPN do I need to set for a net.tcp service?
How do I unit test a WCF service?
Best practices for versioning your services with WCF?
Lazy Loading with a WCF Service Domain Model?
How many ServiceContracts can a WCF Service have?
How can I authenticate using client credentials in WCF just once?
WCF - Domain Objects and IExtensibleDataObject
InvalidOperationException while creating wcf web service instance
Closing and Disposing a WCF Service
What WCF best practices do you follow in object model design?
WCF push to client through firewall?
Loading System.ServiceModel configuration section using ConfigurationManager
I would like some tips for debugging WCF Web Service exceptions
What's the best way to authenticate over WCF?
Good Reads for Distributed Systems
.Net - Returning DataTables in WCF
What is the easiest way to add compression to WCF in Silverlight?
WCF Backward Compatibility Issue
Best Practices for securing a REST API / web service
Web Services -- WCF vs. Standard
C# WCF Service - Backward compatibility issue
WCF - High availability