WCF wsHttpBinding securiy without SSL and certificate

2.4k views Asked by At

I want a secure WCF service which would be used over internet. There are few light methods, so performance is not an issue (message size). I prefer port 80 (web) for firewall issues so TCP binding is not preferred. Also SSL is not an option in my case.

As I researched wsHttpBinding with MessageLevel security is the best choice for my scenario. I configured the service and client can successfully receive data. When I inspect the service with WcfTestClient.exe and invoke the service, I can see SOAP message XML in this tool. My request and response are in plain text without any encryption.

There are some examples of using certificates at service side, and username password at client side. I want username/password based security at both sides but cannot find the example on the web.

Is it possible ? (If yes, please provide a link)

Thanks

1

There are 1 answers

0
Ladislav Mrnka On BEST ANSWER

It is not possible. If you want message level security (encryption, signing, authentication) over Internet you must use user name and password for clients (provides client authentication) and certificate for service (service authentication to client and exchange of key for encryption and signing).