Making a Silverlight WCF SOAP service secured with UserNameOverTransport work over HTTP for network architecture

Question

I have a Silverlight 4 application that uses a WCF SOAP service. The authentication/authorization happens per call (quasi RESTful). This is done by using authenticationMode=UserNameOverTransport - this basically means that that username/password is in each WCF call, but is protected by the SSL encryption of each message. The great thing about this scheme is that I can configure a membership provider in my web.config to do the authentication, making it flexible for different installations.

I have a client that would like to set this website up on their network where the scheme is: Internet <= SSL Traffic => External facing SSL enabled forwarding server <= unsecure HTTP in their internal network => server that hosts my application. They assure me this is a common architecture and I believe them, I am not that experienced an internet application developer.

I am not sure what to do about this as my application is set up to be on the SSL enabled server (UserNameWithTransport is over SSL). in plain HTTP I am not sure how I would get the username which I need to provide the user specific application data. WCF does not provide a "UserNameWithNoTransport" authenticationMode as that would mean sending the username/password in plain text, which is silly. Right now my server side code gets the user from the ServiceSecurityContext.Current.PrimaryIdentity.Name, knowing that the web server has already taken care of the SSL encryption and user authentication. How can I have this work in a way that makes sense in an HTTP solution?

I would like a solution that allows me to configure my solution to work in both the HTTP and HTTPS situation from the web.config, if this is not possible than any other advice is appreciated. thanks

I will place a bounty on this question in a few days, if you give a good answer before then you'll get it.

EDIT: here is the web config as requested:

<?xml version="1.0"?>
<configuration>
  <configSections>
    <section name="log4net" type="log4net.Config.Log4NetConfigurationSectionHandler, log4net" />
  </configSections>

  <system.web>
        <pages controlRenderingCompatibilityVersion="4.0" clientIDMode="AutoID"/>
    <membership defaultProvider="SampleProvider">
      <providers>
        <add name="SampleProvider" type="MyNamespace.NullMembershipProvider, MyDLL"/>
      </providers>
    </membership>    
  </system.web>

  <appSettings>
    ...
  </appSettings>

  <system.serviceModel>
    <serviceHostingEnvironment aspNetCompatibilityEnabled="true" />
    <bindings>
      <customBinding>
        <binding name="BinaryCustomBinding" sendTimeout="00:10:00">
          <security authenticationMode="UserNameOverTransport"/>
          <binaryMessageEncoding />
          <httpsTransport maxBufferSize="100000" maxReceivedMessageSize="100000" />
        </binding>
      </customBinding>
    </bindings>

    <services>
      <service name="MyNamespace.MyService">
        <endpoint
                    binding="customBinding" bindingConfiguration="BinaryCustomBinding"
                    name="MyService" contract="MyNamespace.IServiceContract" />
      </service>
    </services>

    <behaviors>
      <serviceBehaviors>
        <behavior name="">
          <serviceMetadata
            httpsGetEnabled="true"
            httpGetEnabled="false" />
          <serviceDebug includeExceptionDetailInFaults="true" />
          <serviceCredentials>
            <userNameAuthentication
              userNamePasswordValidationMode="MembershipProvider"
              membershipProviderName="SampleProvider"/>
          </serviceCredentials>
        </behavior>
      </serviceBehaviors>
    </behaviors>
  </system.serviceModel> 


  <log4net>
...
  </log4net>
</configuration>

Answer 1

Allowing UserNameOverTransport over HTTP is possible in .NET 4 but I think it is not possible in Silverlight. You need to set allowInsecureTransport attribute of security element:

<customBinding>         
  <binding name="BinaryCustomBinding" sendTimeout="00:10:00">           
    <security authenticationMode="UserNameOverTransport" allowInsecureTranposrt="true"/>             
    <binaryMessageEncoding />           
    <httpTransport maxBufferSize="100000" maxReceivedMessageSize="100000" />           
  </binding>       
</customBinding>

The problem is that allowInsecureTranposrt is not available in Silverlight. Without this you can't use UserName token over unsecured channel.