Set up wcf service for http and https and also add username/password to its access

Question

I am kinda new to WCF and the setting up of service and have 2 questions. My first question I have a service that will be accessed via https on a web server. However locally on my local IIS7, it will be accessed via http as https is not available. How can I set up a service to be accessed by both?

My second question is regarding how I can set up a service that requires a username and password to be accessed. The service that I have in place I dont want methods within it to be accessed unless the calling application has the rights to do so?

Here is an example of the relevant area of my web.config file.

<system.serviceModel>
    <bindings>
        <webHttpBinding>
            <!-- standard AJAX binding that supports SSL -->
            <binding name="TransportSecurity">
                <security mode="Transport" />
            </binding>
            <!-- standard AJAX binding for HTTP only -->
            <binding name="NoSecurity">
                <security mode="None" />
            </binding>
        </webHttpBinding>
    </bindings>
    <behaviors>
        <endpointBehaviors>
            <behavior name="EndPointBehavior">
                <enableWebScript />
            </behavior>
        </endpointBehaviors>
        <serviceBehaviors>
            <behavior name="ServiceBehavior">
                <serviceDebug httpHelpPageEnabled="false" httpsHelpPageEnabled="false" includeExceptionDetailInFaults="true" />
                <serviceMetadata httpGetEnabled="true" />
            </behavior>
        </serviceBehaviors>
    </behaviors>
    <serviceHostingEnvironment aspNetCompatibilityEnabled="true" />
    <services>
        <service behaviorConfiguration="ServiceBehavior" name="ServiceName">
            <endpoint address="" 
                      behaviorConfiguration="EndPointBehavior"
                      binding="webHttpBinding" 
                      bindingConfiguration="NoSecurity"
                      contract="App.Service.ServiceName" />
        </service>
    </services>
    <diagnostics>
        <messageLogging logMessagesAtTransportLevel="true" logMessagesAtServiceLevel="false" logMalformedMessages="true" logEntireMessage="false" maxSizeOfMessageToLog="65535000" maxMessagesToLog="500" />
    </diagnostics>
</system.serviceModel>

In this config, the service is set up for http only and not username/password applied to it.

Answer 1

You can add the username password configuration to your bindings:

            <security mode="Transport">
                <transport clientCredentialType="Basic" />
            </security>

and

            <security mode="TransportCredentialOnly"> <!-- This means http + credential -->
                <transport clientCredentialType="Basic" />
            </security>

As for authorization, there are a bunch of options. The very simplest is to apply a custom username password validator (artibtrary example taken from http://blogs.msdn.com/b/pedram/archive/2007/10/05/wcf-authentication-custom-username-and-password-validator.aspx):

<serviceBehaviors>
  <behavior name="CustomValidator">
    <serviceCredentials>

      <userNameAuthentication
        userNamePasswordValidationMode="Custom"
        customUserNamePasswordValidatorType=
  </behavior>
</serviceBehaviors>

At a more sophisticated level, read up on the ServiceAuthorizationManager:

http://msdn.microsoft.com/en-us/library/system.servicemodel.serviceauthorizationmanager.aspx