views:

331

answers:

3

I wrote a custom WCF binding a while back to allow my load balanced farm to host services via IIS. The reason for the custom binding was that each server didn't have SSL but needed the ability to accept a client credential of username + password. The proxy in front of this farm has SSL so the traffic would be encrypted outside the firewall. This custom binding works fine but now I'm at the point where I need to watch the traffic from my machine locally and wanted to do this w/out SSL in the mix.

The issue is this - on the .net client if I set my security mode = "TransportWithMessageCredential" I must have SSL else I get the fun error "invalid scheme, expected https"

Is it possible to write something custom for the client to "ignore" that SSL is missing but still let me pass the username + password via the SOAP header?

A: 

I assume, on your custom binding, that you also get an error if you just use security mode="Message"? A custom binding wasn't really necessary, since (if I'm not mistaken) you can use the wsHttpBinding with security mode="Message" (not requiring SSL).

Another alternative is to just generate an SSL certificate yourself, install it in IIS, and implement a trust all certificate policy in your calling code, but this is generally frowned upon (as is sending user names and passwords over an insecure channel).

A third option is to change your contract's operations to accept user names and passwords (or some sort of token) as a parameter, or change your data contracts so you can send the information along with whatever object you may already be sending.

Langdon
+2  A: 

Yup, I wrote a blog post about this a while back called "How To: SSL Passthrough with WCF --or-- TransportWithMessageCredential over plain HTTP".

The short of it is that you need to create your own HttpTransportBindingElement subclass which "lies" about providing security.

Drew Marsh
Drew I'm starting to think I should just take the WCF apprentice program under your guidance! Thanks for all the help (as you answered my last 3 questions on WCF)
Toran Billups
Hahah, just glad I can save someone else some pain of figuring this stuff out. ;)
Drew Marsh
+2  A: 

There is a Hotfix for .net 3.5 sp1 that adds a AllowInsecureTransport property to the SecurityBindingElement. This will also be in .net 4 beta 2.

Aaron Fischer