tags:

views:

635

answers:

2
+1  Q: 

WCF - how to create programatically custom binding with binary encoding over HTTP(S)

I'd like to convert my current HTTP/HTTPS WCF binding settings to use binary message encoding and I need to do it in code - not in XML configuration. AFAIK it's necessary to create CustomBinding object and set proper BindingElements, but I'm not able to figure out what elements should I use in my scenario.

Main points in my WCF configuration are:

  • use HTTP or HTTPS transport depending on configuration (in app.config)
  • use username message security
  • todo: add binary encoding instead of default text

My current code for setting the binding up (working, but without the binary encoding):

var isHttps = Settings.Default.wcfServiceBaseAddress.StartsWith("https://", StringComparison.InvariantCultureIgnoreCase);
var binding = new WSHttpBinding(isHttps ? SecurityMode.TransportWithMessageCredential : SecurityMode.Message);
binding.Security.Message.ClientCredentialType = MessageCredentialType.UserName;

I was trying this code, but it doesn't work - I don't know how to set message security element for username message security:

var custBinding = new CustomBinding();
custBinding.Elements.Add(new BinaryMessageEncodingBindingElement());
//Transport Security (Not Required)
if (isHttps)
{
    custBinding.Elements.Add(SecurityBindingElement.CreateUserNameForSslBindingElement());
}
//Transport (Required)
custBinding.Elements.Add(isHttps ?
    new HttpsTransportBindingElement() :
    new HttpTransportBindingElement());

Anybody knows how to set this up? I tried to search for similar problem/solution, but didn't succeeded...

A: 

Try SecurityBindingElement.CreateUserNameOverTransportBindingElement() instead:

var custBinding = new CustomBinding();
custBinding.Elements.Add(new BinaryMessageEncodingBindingElement());
//Transport Security (Not Required)
if (isHttps)
{
  custBinding.Elements.Add(SecurityBindingElement.CreateUserNameOverTransportBindingElement());
}
//Transport (Required)
custBinding.Elements.Add(isHttps ?
   new HttpsTransportBindingElement() :
   new HttpTransportBindingElement());
Samuel Jack  2010-02-12 14:09:30
I already tried this, but it doesn't work. Also when isHttps==false there's no message security setup - this is the main problem. I don't know how to setup WSHttpBinding-compatible message security using CustomBinding.
Buthrakaur  2010-02-15 07:21:05
For security reasons, WCF only permits username/password combinations to be sent when the connection is encrypted - ie when you're using Https transport. This means that if you don't use Https, you can't secure your messages in this way. You might need to reassess your requirements.
Samuel Jack  2010-02-15 09:41:13
A: 

The SecurityBindingElement has a AllowInsecureTransport property. If you set this to true you can use the HttpTransportBindingElement with message user name and password security.

Aaron Fischer  2010-03-23 19:22:54

related questions

Encryption in C# Web-Services
How Do You Secure database.yml?
ASP.NET LocationProvider
What do you (or your company) use for wiping a machine?
Can a proxy server cache SSL GETs? If not, would response body encryption suffice?
Java: What is the best way to SFTP a file from a server
How do I call a Flex SWF from a remote domain using Flash (AS3) ?
Best way to store a database password in a startup script / config file?
Using VM to get around VPN restrictions
Best references for secure coding practices in ASP.NET and classic ASP.
Secure Memory Allocator in C++
Resolving Session Fixation in JBoss
Best Practices for securing a REST API / web service
Defensive programming
Personal Linux web server
Block user access to internals of a site using HTTP_REFERER
Is there an Unobtrusive Captcha for web forms?
My website got hacked... What should I do?
What all do I need to escape when sending a (My)SQL query?
How do you disable browser Autocomplete on web form field / input tag?
Best .NET obfuscation tools/strategy
Are there best practices for testing security in an Agile development shop?
What is the best way to avoid SQL injection attacks?
Found a critical bug, but the company doesn't care
PHP Session Security