Is it possible to hack a WCF client to pass message credentials w/out SSL?
https://stackoverflow.com/questions/1667882
-
13-09-2019 - |
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianQuestion
I wrote a custom WCF binding a while back to allow my load balanced farm to host services via IIS. The reason for the custom binding was that each server didn't have SSL but needed the ability to accept a client credential of username + password. The proxy in front of this farm has SSL so the traffic would be encrypted outside the firewall. This custom binding works fine but now I'm at the point where I need to watch the traffic from my machine locally and wanted to do this w/out SSL in the mix.
The issue is this - on the .net client if I set my security mode = "TransportWithMessageCredential" I must have SSL else I get the fun error "invalid scheme, expected https"
Is it possible to write something custom for the client to "ignore" that SSL is missing but still let me pass the username + password via the SOAP header?
Solution
Yup, I wrote a blog post about this a while back called "How To: SSL Passthrough with WCF --or-- TransportWithMessageCredential over plain HTTP".
The short of it is that you need to create your own HttpTransportBindingElement subclass which "lies" about providing security.
OTHER TIPS
There is a Hotfix for .net 3.5 sp1 that adds a AllowInsecureTransport property to the SecurityBindingElement. This will also be in .net 4 beta 2.
I assume, on your custom binding, that you also get an error if you just use security mode="Message"? A custom binding wasn't really necessary, since (if I'm not mistaken) you can use the wsHttpBinding with security mode="Message" (not requiring SSL).
Another alternative is to just generate an SSL certificate yourself, install it in IIS, and implement a trust all certificate policy in your calling code, but this is generally frowned upon (as is sending user names and passwords over an insecure channel).
A third option is to change your contract's operations to accept user names and passwords (or some sort of token) as a parameter, or change your data contracts so you can send the information along with whatever object you may already be sending.
