theBoringCoder
Reputation: 328
How do I secure a WCF Service, hosted in IIS, using BasicHttp binding, and NO SSL Cert?
Is it possible to configure a WCF service that:
- is hosted by IIS
- uses the
basicHttpBindingbinding - does not need an SSL cert
- supports sessions (
ServiceContract(SessionMode:=ServiceModel.SessionMode.Required))
I know the easiest thing to do would be to buy an SSL cert, but for reasons beyond my control I am being required to match the 4 constraints above.
thanks,
Tom
Upvotes: 0
Views: 199
Answers (1)
Ladislav Mrnka
Reputation: 364389
Tell your boss that basicHttpBinding supports real security only when using with SSL certificate (otherwise all data are passed as a plain text) and it doesn't support WCF sessions out of the box. WCF session is dependent on either:
- Transport session (only netTcp or netNamedPipe bindings)
- Reliable session (only netTcp, wsHttp or custom bindings)
- Security session (only wsHttp or custom bindings and it requires either windows authentication or SSL certificate)
Sessions can be probably added by building your own service behavior and replacing IInstaceContextProvider and perhaps also IInstanceProvider.
Upvotes: 3
Related Questions
- How to secure self-hosted WCF WebHttp server?
- Secure WCF service with basicHttpBinding
- HTTPS on basicHttpBinding for WCF Service
- BasicHttpBinding with no security
- Security in WCF without using SSL
- Securing WCF with basichttpbinding
- Securing WCF service using basicHttpBinding which supports streaming
- How to secure a WCF Service not hosted in IIS
- How to secure a WCF restful service?
- Securing a WCF WebService without using a certificate