tags:

views:

88

answers:

2
+5  Q: 

WCF over SSL from non-secure page

I have a WCF service that I need to run over SSL, I am calling it from a webpage (using jQuery) which may or may not be a secure page. The problem is, if I make the call from a secure webpage on my site, the call runs exactly how I would expect...however, if I make the call from a non-secure page on my site, to the secure web service (using "https://" ;) ) it returns null data (via Firebug). Anything I'm missing? Is this even possible?

Here is the configuration of the service I'm calling (I'm more than happy to provide more stuff if needed):

<behaviors>
  <endpointBehaviors>
    <behavior name="AspNetAjaxBehavior">
      <webHttp/>
    </behavior>
  </endpointBehaviors>
</behaviors>
<services>
  <service name="ClientServices.Membership" behaviorConfiguration="ServiceGatewayBehavior">
    <endpoint address="" behaviorConfiguration="AspNetAjaxBehavior" bindingConfiguration="SecureBinding"
     binding="webHttpBinding" contract="ClientServices.Membership" />
  </service>
</services>
<bindings>
  <webHttpBinding>
    <binding name="SecureBinding">
      <security mode="Transport"/>
    </binding>
  </webHttpBinding>
</bindings>

Here is the code that calls the service:

$.ajax({
            url: serviceUrl,
            type: "POST",
            contentType: "application/json; charset=utf-8",
            dataType: "json",
            data: '{"review":{"Username":"' + username + '"}}',
            success: function (data) {
                $.log(data);
            },
            error: function (a, b, c) {
                $.log(b);
            },
            cache: false
        });

UPDATE

If I change the service call method to "GET" and call it directly over SSL it works fine and outputs the jSon that I would expect. It's only inside the non-secure page where the problem persists.

A: 

There are ways around it, but "out-of-the-box" WCF does not allow sending passwords over unsecured transports, so the membership service won't be bound to the unprotected transport - thus the empty response.

(Ideally, the membership service should throw an exception to that effect if it wanted to be useful, but it would appear that that was overlooked.)

NStaudt  2010-09-06 14:40:55
I'm confused by your answer...the service is receiving the param in clear text. It has no context of the type of parameter being sent via jQuery.
Ryan Eastabrook  2010-09-07 05:41:19
Sorry, by "the service" I meant the membership provider in your config - it looked like an out-of-the box provider, but on closer inspection it would seem it isn't. I'm surprised that your example works over ssl, as there isn't a https transport config item?
NStaudt  2010-09-07 14:38:27
This declaration enables SSL over WCF: <security mode="Transport"/>.
Ryan Eastabrook  2010-09-08 02:41:11
Ok, guess you can tell i never put out a secure .svc :) If you post the service code also, then I'll put it on a test server I have access to (that has an ssl cert) and have a fiddle with it. One other option to check out - I've found the $.ajax(...) method to be a bit flakey for jsonp, so ended up using http://code.google.com/p/jquery-jsonp/ ... it could be a bug in the json implementation.
NStaudt  2010-09-08 12:43:48
This is all in the same domain, jsonp is unnecessary. The service code is extremely basic, imagine it just passes back a concatenated string of the parameters. If I set a debugger it never even hits the service code, however, I can see the message sent using Fiddler...so it's happening at some point when the service is initiated.
Ryan Eastabrook  2010-09-09 15:46:26
If its not hitting the service at all then I'd be looking at the service bindings... hehe, back to where we started. I'll try to replicate this behavior later today - I needed to deploy an ssl wcf today anyway, so can have a fiddle with those config settings. Cheers, Nathan :)
NStaudt  2010-09-10 05:51:53
A: 

Assuming both site and service are both at yourdomain.com, then my first thoughts would be that when on the non-secure page, your browser is not attaching the cookie it has for the site domain and so when it calls the service, it isn't authenticated.

Have you used Fiddler to look at the raw HTTP header data and more importantly, what differs in this data when on the working and not-working page?

Luke

Luke Puplett  2010-09-16 20:01:29

related questions

Dynamic programming with WCF
WCF Service Returning "Method Not Allowed"
Exceptions in Web Services
What SPN do I need to set for a net.tcp service?
How do I unit test a WCF service?
Best practices for versioning your services with WCF?
Lazy Loading with a WCF Service Domain Model?
How many ServiceContracts can a WCF Service have?
How can I authenticate using client credentials in WCF just once?
WCF - Domain Objects and IExtensibleDataObject
InvalidOperationException while creating wcf web service instance
Closing and Disposing a WCF Service
What WCF best practices do you follow in object model design?
WCF push to client through firewall?
Loading System.ServiceModel configuration section using ConfigurationManager
I would like some tips for debugging WCF Web Service exceptions
What's the best way to authenticate over WCF?
Good Reads for Distributed Systems
.Net - Returning DataTables in WCF
What is the easiest way to add compression to WCF in Silverlight?
WCF Backward Compatibility Issue
Best Practices for securing a REST API / web service
Web Services -- WCF vs. Standard
C# WCF Service - Backward compatibility issue
WCF - High availability