7

How do you secure a Silverlight-Enabled WCF Web Service with SSL? I have tried setting it up similar to a regular WCF service secured by SSL, but it doesn't seem to work. What do you set in the Web.Config, and what do you set in the Silverlight's ServiceReferences.ClientConfig?

I noticed that in the ServiceReferences.ClientConfig file of the Silverlight client app that the "Binding" tag only allows basicHttpBinding and NOT wsHttpBinding. Does this mean that you can not secure a Silverlight-Enabled WCF Service? If so are there better approaches to securing it?

John Saunders
  • 160,644
  • 26
  • 247
  • 397
Yttrium
  • 2,057
  • 7
  • 25
  • 28

4 Answers4

11

There are three key places that I configure to use https in my own apps.

Web.config

In the behavior tag include this line:

<serviceMetadata httpsGetEnabled="true"/>

For the MEX endpoint, make sure you use the https protocol:

<endpoint address="mex" binding="mexHttpsBinding"
          contract="IMetadataExchange" />

Create a custom binding. The important part is the transport security:

  <basicHttpBinding>
    <binding name="myServicesBinding">
      <security mode="Transport"/>
    </binding>
  </basicHttpBinding>

You can also include the usual authorization stuff:

<authorization>
  <allow users="?"/>
  <deny users="*"/>
</authorization>

Silverlight

On the Silverlight end, either point the ServiceReference at the now secure service, or set up the connections manually in code. the ServiceReferences.ClientConfig file should have the security stuff in it:

<security mode="Transport"/>

And the code version looks like this:

BasicHttpBinding b = new BasicHttpBinding(BasicHttpSecurityMode.Transport);

There are probably more complex things that can be done, but this should be good enough for most people.

Samuel McAravey
  • 364
  • 1
  • 4
3

To create Silverlight-Enabled WCF Web Service using SSL you have to do the following steps:

  1. Create standard Silverlight-Enabled WCF Web Service using Visual Studio 2010

  2. Change 3 places of webconfig.xml:

    a. In serviceMetadata change httpGetEnabled to httpsGetEnabled like this:

    <behaviors >
  <serviceBehaviors > 
    <behavior name="" > 
      <serviceMetadata httpsGetEnabled="true" />
      <serviceDebug includeExceptionDetailInFaults="false" />
    </behavior>
  </serviceBehaviors>
</behaviors>

    b. In binding change httpTransport to httpsTransport:

    <bindings>
  <customBinding>
    <binding name="Project.Web.YourService.customBinding0">
      <binaryMessageEncoding/>
      <httpsTransport/>
    </binding>
  </customBinding>
</bindings>

    c. in endpoint change binding="mexHttpBinding" to binding="mexHttpsBinding":

    <service name="Project.Web.YourService.YourService">
  <endpoint address="" binding="customBinding" bindingConfiguration="Project.Web.YourService.customBinding0"
  contract="Project.Web.YourService.YourService" />
  <endpoint address="mex" binding="mexHttpsBinding" contract="IMetadataExchange" />
</service>

  3. Don't use ServiceReferences.ClientConfig. Create everything in code behind - it's easy to deploy on server:

    CustomBinding binding = new CustomBinding(new BinaryMessageEncodingBindingElement(), new HttpsTransportBindingElement());         
YourServiceReference.YourServiceClient service = new YourServiceReference.YourServiceClient (binding, new EndpointAddress(new Uri( "https:yourhostname/YourService.svc").AbsoluteUri));        
service.YourMethodCompleted += new EventHandler<YourServiceReference.YourMethodCompleted EventArgs>(service_YourMethodCompleted );
service.YourMethodAsync();
BenMorel
  • 34,448
  • 50
  • 182
  • 322
Przemek
  • 31
  • 2
3

in the ServiceReferences.ClientConfig file of the Silverlight client app that the "Binding" tag only allows basicHttpBinding and NOT wsHttpBinding. Does this mean that you can not secure a Silverlight-Enabled WCF Service?

No, it doesn't mean that. You can have a basicHttpBinding and still assign transport-level security (HTTPS with SSL) to it. That shouldn't be a problem.

Marc

PS: Many one of those links gives you more insight and the proverbial "AHA!" :-)

Glorfindel
  • 21,988
  • 13
  • 81
  • 109
marc_s
  • 732,580
  • 175
  • 1,330
  • 1,459
  • Thanks! Though I'm confused as to what do I put in the Web.Config file that hosts the service? Is it just basicHttpBinding with transport security? I tried that and it returns a "Not Found" error. – Yttrium May 09 '09 at 18:20
  • Does your server that hosts the service have an SSL certificate installed and all? If you want to use SSL transport-level security, SSL at the transport level has to be setup correctly beforehand. – marc_s May 10 '09 at 08:21
  • Yes, the site has a working SSL, I can access an .ASMX service using transport security and pointing it to https in the Silverlight config file. But I can't for the life of me get it find a Silverlight-Enabled WFC service through https with transport security. – Yttrium May 14 '09 at 14:29
  • There's a number of ways you can set up transport security - just "transport", or "transportwithmessagecredentials" and another one I forget right now. I am not 100% sure what a Silverlight environment would expect - but basically, you have to have the same settings on both ends of your communications channel. – marc_s May 14 '09 at 14:45
-2

WS* is not supported in Silverlight - basically change the URL in the client config to be an https:// url - that's all you can do

blowdart
  • 55,577
  • 12
  • 114
  • 149