WCF service show exception when securing service with wshttpbinding and username authentication

Answer 1

You have used TransportWithMessageCredential which means mandatory HTTPS. So you have to either change your security setting or enable SSL.

WCF does not allow for clear text authentication over http, it requires https and this behaviour is by design - I would actually not agree but well I am not microsoft.

if you need to enable clear text authentication, you need to hand-craft the message in the message inspector.

UPDATE

Here was my implementation (this is rough and only proof of concept) but the other answer is better (built-in support in WCF 4.0):

  [Serializable()]
  public class ConsoleMessageTracer : BehaviorExtensionElement, 
  IClientMessageInspector ,IEndpointBehavior, System.Configuration.IConfigurationSectionHandler
  {

    private string _userName = string.Empty;
    private string _password = string.Empty;

    [XmlAttribute()]
    public string UserName
    {
      get { return _userName; }
      set { _userName = value; }
    }

    [XmlAttribute()]
    public string Password
    {
      get { return _password; }
      set { _password = value; }
    }


    private Message TraceMessage(MessageBuffer buffer)
    {
      Message msg = buffer.CreateMessage();
      Console.WriteLine("\n{0}\n", msg);
      return buffer.CreateMessage();
    }


    public void AfterReceiveReply(ref Message reply, object
        correlationState)
    {
      reply = TraceMessage(reply.CreateBufferedCopy(int.MaxValue));
    }

    public object BeforeSendRequest(ref Message request,
        IClientChannel channel)
    {

      request.Headers.Add(MessageHeader.CreateHeader("Security",
        "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd",
        tt, true, "http://www.isban.es/soap/actor/wssecurityUserPass")
        );

      return null;
    }

    public override Type BehaviorType
    {
      get { return this.GetType(); }
    }

    protected override object CreateBehavior()
    {
      return this;
    }

    #region IEndpointBehavior Members

    public void AddBindingParameters(ServiceEndpoint endpoint, BindingParameterCollection bindingParameters)
    {
      return;
    }

    public void ApplyClientBehavior(ServiceEndpoint endpoint, ClientRuntime clientRuntime)
    {
      clientRuntime.MessageInspectors.Add(new ConsoleMessageTracer());
      //foreach (ClientOperation op in clientRuntime.Operations)
      //  op.ParameterInspectors.Add(new ConsoleMessageTracer());
    }

    public void ApplyDispatchBehavior(ServiceEndpoint endpoint, EndpointDispatcher endpointDispatcher)
    {
      //endpointDispatcher.DispatchRuntime.MessageInspectors.Add(new ConsoleMessageTracer());
      //foreach (DispatchOperation op in endpointDispatcher.DispatchRuntime.Operations)
      //  op.ParameterInspectors.Add(new ConsoleMessageTracer());
    }

    public void Validate(ServiceEndpoint endpoint)
    {
      return;
    }

    #endregion

    #region IConfigurationSectionHandler Members

    public object Create(object parent, object configContext, XmlNode section)
    {
      return null;
    }

    #endregion
  }

    [DataContract(Namespace = "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd")]
    //[DataContract(Namespace = "")]
    [Serializable()]
    public class UserNameTokenToken
    {
        [DataMember()]
        public UserNameToken UsernameToken;

        public UserNameTokenToken(UserNameToken token)
        {
            UsernameToken = token;
        }
    }

    [DataContract(Namespace = "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd")]
    //[DataContract(Namespace = "")]
    [Serializable()]
    public class UserNameToken
    {
        [DataMember(Order = 1)]
        public string Username = string.Empty;
        [DataMember(Order = 2)]
        public string Password = string.Empty;

        public UserNameToken(string uname, string pass)
        {
            Username = uname;
            Password = pass;
        }

    }

Answer 2

TransportWithMessageCredential means that you want to use transport security and send credential in message. Transport security in this case means HTTPS. First realease of WCF demanded that user name and password can be only used with secured communication. Later on MS released patch which allows workaround to avoid HTTPS but still it is not recommended. In .NET 4.0 the patch is directly included.

If you want to use message credentials without secured communication you have to create custom binding similar to this:

<bindings>
  <customBinding>
    <binding name="HttpWithAuthentication">
      <security authenticationMode="UserNameOverTransport" allowInsecureTranpsort="true" />
      <context /> <!-- needed for durable worklfows -->
      <textMessageEncoding messageVersion="Soap12Addressing10" />
      <httpTransport />
    </binding>
  </customBinding>
</bindings>

Problem with allowInsecurTransport is that it is some "quick fix" which does not integrate with all WCF features. So for example when you use it your service is not able to generate WSDL / metadata because this part still requires secure communication.