IIS Rest over HTTPS only

Question

I've asked a similar question here:

http://stackoverflow.com/questions/2165465/how-to-enforce-one-method-in-wcf-rest-to-be-called-via-https-while-others-can-be

And it doesn't look like it is possible on the code side. Is it possible to set up an entire service to be callable over HTTPS only? I've configured a service using the following binding:

  <webHttpBinding>
    <binding name="webBinding"
     maxBufferSize="152428800" maxReceivedMessageSize="152428800"
     receiveTimeout="00:10:00">
        <readerQuotas maxStringContentLength="152428800"
              maxArrayLength="152428800"
              maxBytesPerRead="4096"/>
        <security mode="Transport">
        <transport clientCredentialType="None" />
        </security>
    </binding>
    </webHttpBinding>

But when I try to call a simple service over http, the service returns the result happily, rather than returning some sort of exception. Do I need to configure IIS to only service https requests? Has anyone tried this?

Thanks!

Answer 1

Did you configure IIS to require SSL on your application's folder? (you can set it to allow ssl or make it mandatory)

Answer 2

You can always add an explicit endpoint to your service entry with a fully-qualified https address. Can't remember if IIS hosting always auto-adds the base addresses when you have an explicit address, but even if it does, you can make a simple extension of ServiceHostFactory to "eat" the default base addresses IIS supplies (reference your custom servicehostfactory in the Factory attribute of your .svc file). Then it'll only answer on the exact addresses you supplied in the config.

Answer 3

It's possible via configuration. This Blog Article is not your exact scenario (it's file transfer over https), but it shows sample config and code for configuring and consuming a https web service that should be useful.