frosty
WCF UserNameOverTransport using HTTP
by
, 03-07-2011 at 10:17 AM (3375 Views)
Hello, in some cases you want to enable UserName authentication to your WCF services but yet not incur the overhead of HTTPS encryption.
In .Net 4 this seems as if it would be easy because the Binding Element's, Security element contains an allowInsecureTransport attribute.
Setting this = false would seem to allow this to work.
In theory it does, however, there is a problem when you try to generate a proxy from your WSDL.
You will get the following exception.
An ExceptionDetail, likely created by IncludeExceptionDetailInFaults=true, whose value is:
System.InvalidOperationException: An exception was thrown in a call to a policy export extension.
Extension: System.ServiceModel.Channels.TransportSecurityBind ingElement
Error: Security policy export failed. The binding contains a TransportSecurityBindingElement but no transport binding element that implements ITransportTokenAssertionProvider. Policy export for such a binding is not supported. Make sure the transport binding element in the binding implements the ITransportTokenAssertionProvider interface. ----> System.InvalidOperationException: Security policy export failed. The binding contains a
TransportSecurityBindingElement but no transport binding element that implements ITransportTokenAssertionProvider. Policy export for such a binding is not supported. Make sure the transport binding element in the binding implements the ITransportTokenAssertionProvider interface.
at System.ServiceModel.Channels.TransportSecurityBind ingElement.System.ServiceModel.Description.IPolicy ExportExtension.ExportPolicy(MetadataExporter exporter, PolicyConversionContext policyContext)
The problem is the <HttpTransport /> doesn't implement ITransportTokenAssertionProvider. However, there is a workaround for this. Creating your own HttpTransport.
I ran across this Microsoft blog which explains how to do it.
http://blogs.msdn.com/b/distributeds...e-devices.aspx
I found another implementation of this here.
http://offroadcoder.com/CommentView,...e393d2c6a.aspx
With these in place and using your new Transport element in your config file, you should be able to generate your proxy.
However, I'm still finding a couple of issues that requires manual changes. Trying to access the service from your client, you will still get the following exception
The 'CustomBinding'.'http://tempuri.org/' binding for the 'IMembershipService'.'http://n-stech.com/MembershipService/2011/03' contract is configured with an authentication mode that requires transport level integrity and confidentiality. However the transport cannot provide integrity and confidentiality.
This is because the allowInsecureTransport=true setting required in the security element isn't getting generated on the client side so I've found I have to add it manually.
<securitydefaultAlgorithmSuite="Default"authenticationMode="UserNameOverTransport"
Also, I'm finding the following warning generated in the client side config file.
<!-- WsdlImporter encountered unrecognized policy assertions in ServiceDescription 'http://n-stech.com/2011/02': --> <!-- <wsdl:binding name='customBinaryEndpointMembership'> --> <!-- <sp:HttpToken xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">..</sp:HttpToken> -->
In the custom class you have to create to implement the ITransportTokenAssertionProvider there is a GetTransportTokenAssertion() method.In this method, they are creating a TransTokAssert XmlElement using HttpToken.
Apparently HttpToken doesn't have a policy because if you change HttpToken to HttpsToken, then you don't see the warning.
However, the client generates the <HttpsTransport instead of the HttpTransport I haven't tried anything else with this but just make note of it.If you find better work arounds to these, please share.The web.config for the binding will look something like this.
Code:<customBinding> <bindingname="customBinaryEncodingBinding"allowCookies="true"maxBufferSize="2524288"maxBufferPoolSize="2524288"maxReceivedMessageSize="2524288" > <binaryMessageEncoding > <readerQuotasmaxDepth="50"maxArrayLength="2000000"maxStringContentLength="2000000"/> </binaryMessageEncoding> <!-- You must manually add allowInsecureTransport="True" to the client config--> <securityauthenticationMode="UserNameOverTransport"allowInsecureTransport="True" > </security> <!-- If no authentication required. In order to generate the WSDL, you must comment this out and enable the HttpTransportElementWithWSDL transport. However, if you leave the HttpTransportElementWithWSDL enabled, the WCF service configurator will not work.--> <httpTransportmaxReceivedMessageSize="2147483647"maxBufferSize="2147483647" /> <!-- <HttpTransportElementWithWSDL maxReceivedMessageSize="2147483647" maxBufferSize="2147483647" />--> </binding> </customBinding>
Email Blog Entry
Mark as Read
