Securing WCF Service

Question

I'm trying to set up security on a WCF web service, using the ProtectionLevel attribute:

[ServiceContract(ProtectionLevel= ProtectionLevel.EncryptAndSign)]

This compiles, but Visual Studio throws exceptions when I try to update the service reference in another project (same solution).

System.InvalidOperationException: The request message must be protected. This is required by an operation of the contract ('IStorageService','tempuri.org/';). The protection must be provided by the binding ('WSHttpBinding','tempuri.org/';).

What else do I need to set up to get this to work?

Answer 1

The ProtectionLevel is a way for the developer to set the minimum level that a binding must comply with. When a service is deployed, the actual binding specified in configuration may or may not support the minimum level. For example, by default, the BasicHttpBinding class does not supply security (although it can be enabled). Therefore, using it with a contract that has any setting other than None will cause an exception to be thrown. see here

Answer 2

Your ServiceContract attribute is specifying that the service requires a secure channel for all operations, with both message signing (the message contains a digital signature which can prove that it hasn't been tampered with) and message encryption (the bytes of the message are encrypted when transmitted over the network).

Your client code (i.e. in the project which calls the service) must satisfy these requirements. If this project is using BasicHttpBinding with default settings, then the requirements of the service will not be satisfied (security is disabled by default for the BasicHttpBinding). If you configure the client project to use WsHttpBinding instead, with its default settings, the exception should go away (this binding has EncryptAndSign enabled by default).