webHttpBinding security does not contain message node?

Question

I'm trying to apply a client certificate to a WCF REST Service. I have found some details on applying a client certificate that has the following:

<bindings>
  <wsHttpBinding>
    <binding name="wsHttpEndpointBinding">
      <security>
        <message clientCredentialType="Certificate" />
      </security>
    </binding>
  </wsHttpBinding>
</bindings>

In which case there seems to be no problems. I am however using webHttpBinding and I get an error stating that message is an invalid child of the security node.

Am I going about setting up client certificates improperly? Would anyone be able to point me in the correct direction.

Answer 1

The message node in the wsHttpBinding configuration is about configuring SOAP message security headers, this is why it is not valid for webHttpBinding, which is not based on SOAP (it is REST)

The appropriate security for REST services is most likely transport level - that is HTTPS.

If you want to use message level security, you need to switch to SOAP, but message level is fairly specialist and not necessary in most circumstances.

If you need to use a certificate for webHttpBinding (this means using mutual SSL) you need to set the securityMode to Transport and the clientCredentialType property to Certificate. In config, it looks like this on the server side

  <webHttpBinding>
    <binding name="ClientCertServerSide">
      <security mode="Transport" >
       <transport clientCredentialType="Certificate"/>
      </security> 
    </binding>
  </webHttpBinding> 

On the client side, you can specify the certificate in code (using theHttpWebRequest.ClientCertificates property)or in config. In config it looks like

    <endpointBehaviors>
        <behavior name="ClientCertClientSide">
            <clientCredentials>
                <clientCertificate findValue="put the cert name here" storeLocation="put the store here" />
            </clientCredentials>
        </behavior>
    </endpointBehaviors>