TechQA.

Securing WCF with basichttpbinding

3.8k views Asked by At

I am using basicHttpBinding,message security and x509 certificate in my WCF service(.Net Framework 4.0).The config looks like this:

<?xml version="1.0"?>
<configuration>

  <system.web>
    <compilation debug="true" targetFramework="4.0" />
  </system.web>

  <system.serviceModel>
    <behaviors>
      <serviceBehaviors>
        <behavior name="ServiceBehavior">
          <serviceMetadata httpGetEnabled="true"/>
          <serviceDebug includeExceptionDetailInFaults="true"/>
          <serviceCredentials>
            <serviceCertificate findValue="MyWebSite" storeLocation="LocalMachine"
             storeName="My" x509FindType="FindBySubjectName" />
            <userNameAuthentication userNamePasswordValidationMode="Custom"
             customUserNamePasswordValidatorType="CToSave.ValidateClient, CToSave" />
          </serviceCredentials>
        </behavior>
      </serviceBehaviors>
    </behaviors>
    <serviceHostingEnvironment multipleSiteBindingsEnabled="true"/>

    <standardEndpoints>
      <webScriptEndpoint>
        <standardEndpoint crossDomainScriptAccessEnabled="True"/>
      </webScriptEndpoint>
    </standardEndpoints>

    <services>
      <service behaviorConfiguration="ServiceBehavior" name="CToSave.MyService">
        <endpoint address="" binding="basicHttpBinding" contract="CToSave.IMyService" bindingConfiguration="BindingConfig"/>
      </service>
    </services>

    <bindings>

      <basicHttpBinding>
        <binding name="BindingConfig" openTimeout="00:50:00" sendTimeout="00:50:00" receiveTimeout="00:50:00" closeTimeout="00:50:00" maxReceivedMessageSize="2147483647">
          <security mode="Message">
            <message clientCredentialType="Certificate"/>
          </security>
        </binding>
      </basicHttpBinding>

    </bindings>
  </system.serviceModel>
  <system.webServer>
    <modules runAllManagedModulesForAllRequests="true"/>
  </system.webServer>


</configuration>

A PHP client will be consuming this service. In order to consume it,will the client need a certificate at his end?I would prefer that the client doesnt have to generate a certificate.

If the clinet has to get a certificate,will my config change? If yes,what changes will I have to make?

I have read dozens of articles on basihttpbinding+security but none of them indicate anything about the certificate on the client-side. Please help.

wcf wcf-security x509certificate basichttpbinding
Original Q&A
2

There are 2 answers

10
Yaron Naveh On

Yes, client needs a certificate because of this:

<security mode="Message">
    <message clientCredentialType="Certificate"/>
</security>

In general client does not generate its own certificate but gets it from agree provider (can be cert authority in the organization or a public authority or service owner).

In any case you need a good WS-Security library for PHP since you need to generate the message format WCF expects (this is message level security).

0
vitaliy zadorozhnyy On

Related Questions in WCF

Related Questions in WCF-SECURITY

Related Questions in X509CERTIFICATE

Related Questions in BASICHTTPBINDING

Popular Questions

Popular Tags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs node.js arrays c asp.net json python-3.x ruby-on-rails .net sql-server swift django angular objective-c pandas excel

Trending Questions