Configuring a service for multiple message ProtectionLevels while using transport security

Question

I have a WCF service that I want to use message signing for, but only for certain calls- the rest should not be signed. I can't figure out how to set it up to support both.

The message signing uses a non-windows username and password that gets verified by a usernamepasswordvalidator on the service side. Both signed and unsigned messages should use transport security.

Here's an example of my interface:

[ServiceContract(ProtectionLevel=ProtectionLevel.None)]
public interface ISecTest
{
    [OperationContract(ProtectionLevel = ProtectionLevel.Sign)]
    string GetData(string value);

    [OperationContract(ProtectionLevel = ProtectionLevel.None)]
    string GetStuff(string stuff);

}

The problem I'm running into is that the signing seems to be based entirely on the service's binding configuration, as opposed to the ProtectionLevels defined on the interface.

If I use the following binding, both calls will require username credentials, regardless of the ProtectionLevel attributes:

<wsHttpBinding>
    <binding name="secureWSHttpBindingConfig">          
      <security mode="TransportWithMessageCredential">
        <message clientCredentialType="UserName" />
        <transport clientCredentialType="None" />
      </security>
    </binding>
  </wsHttpBinding>

If I omit the message security and use the following binding, then neither call requires credentials:

<wsHttpBinding>
    <binding name="tolerantWSHttpBindingConfig">
      <security mode="Transport">           
        <transport clientCredentialType="None" />
      </security>
    </binding>
  </wsHttpBinding>

Is this a complication from using transport security in addition to the message security? Any advice on how I could accomplish this in a single service (if it's even possible)?

Thanks!

Answer 1

You cannot mix your protection level when you use transport security. You're going to have to use message security if this is important to you.