How to secure a Silverlight-Enabled WCF Web Service with SSL?

Question

How do you secure a Silverlight-Enabled WCF Web Service with SSL? I have tried setting it up similar to a regular WCF service secured by SSL, but it doesn't seem to work. What do you set in the Web.Config, and what do you set in the Silverlight's ServiceReferences.ClientConfig?

I noticed that in the ServiceReferences.ClientConfig file of the Silverlight client app that the "Binding" tag only allows basicHttpBinding and NOT wsHttpBinding. Does this mean that you can not secure a Silverlight-Enabled WCF Service? If so are there better approaches to securing it?

Answer 1

in the ServiceReferences.ClientConfig file of the Silverlight client app that the "Binding" tag only allows basicHttpBinding and NOT wsHttpBinding. Does this mean that you can not secure a Silverlight-Enabled WCF Service?

No, it doesn't mean that. You can have a basicHttpBinding and still assign transport-level security (HTTPS with SSL) to it. That shouldn't be a problem.

Marc

PS: Many one of those links gives you more insight and the proverbial "AHA!" :-)

• http://winterdom.com/2007/11/basichttpbindingwithtransportsecurity
• http://silverlight.net/forums/p/13275/44170.aspx
• http://kevindockx.blogspot.com/2009/02/username-authentication-with.html
• http://www.pixel73.com/blog/Default.aspx?g=posts&t=4173
• http://community.irritatedvowel.com/blogs/pete_browns_blog/archive/2008/03/19/WCF-Integration-in-Silverlight-2-Beta-1.aspx
• Link

Answer 2

To create Silverlight-Enabled WCF Web Service using SSL you have to do the following steps:

1. Create standard Silverlight-Enabled WCF Web Service using Visual Studio 2010

2. Change 3 places of webconfig.xml:

   a. In serviceMetadata change httpGetEnabled to httpsGetEnabled like this:

   <behaviors >
     <serviceBehaviors > 
       <behavior name="" > 
         <serviceMetadata httpsGetEnabled="true" />
         <serviceDebug includeExceptionDetailInFaults="false" />
       </behavior>
     </serviceBehaviors>
   </behaviors>
   

   b. In binding change httpTransport to httpsTransport:

   <bindings>
     <customBinding>
       <binding name="Project.Web.YourService.customBinding0">
         <binaryMessageEncoding/>
         <httpsTransport/>
       </binding>
     </customBinding>
   </bindings>
   

   c. in endpoint change binding="mexHttpBinding" to binding="mexHttpsBinding":

   <service name="Project.Web.YourService.YourService">
     <endpoint address="" binding="customBinding" bindingConfiguration="Project.Web.YourService.customBinding0"
     contract="Project.Web.YourService.YourService" />
     <endpoint address="mex" binding="mexHttpsBinding" contract="IMetadataExchange" />
   </service>
   

3. Don't use ServiceReferences.ClientConfig. Create everything in code behind - it's easy to deploy on server:

   CustomBinding binding = new CustomBinding(new BinaryMessageEncodingBindingElement(), new HttpsTransportBindingElement());         
   YourServiceReference.YourServiceClient service = new YourServiceReference.YourServiceClient (binding, new EndpointAddress(new Uri( "https:yourhostname/YourService.svc").AbsoluteUri));        
   service.YourMethodCompleted += new EventHandler<YourServiceReference.YourMethodCompleted EventArgs>(service_YourMethodCompleted );
   service.YourMethodAsync();
   

Answer 3

There are three key places that I configure to use https in my own apps.

Web.config

In the behavior tag include this line:

<serviceMetadata httpsGetEnabled="true"/>

For the MEX endpoint, make sure you use the https protocol:

<endpoint address="mex" binding="mexHttpsBinding"
          contract="IMetadataExchange" />

Create a custom binding. The important part is the transport security:

  <basicHttpBinding>
    <binding name="myServicesBinding">
      <security mode="Transport"/>
    </binding>
  </basicHttpBinding>

You can also include the usual authorization stuff:

<authorization>
  <allow users="?"/>
  <deny users="*"/>
</authorization>

Silverlight

On the Silverlight end, either point the ServiceReference at the now secure service, or set up the connections manually in code. the ServiceReferences.ClientConfig file should have the security stuff in it:

<security mode="Transport"/>

And the code version looks like this:

BasicHttpBinding b = new BasicHttpBinding(BasicHttpSecurityMode.Transport);

There are probably more complex things that can be done, but this should be good enough for most people.

Answer 4

WS* is not supported in Silverlight - basically change the URL in the client config to be an https:// url - that's all you can do