I have an rest wcf service integrated with asp.net and deployed in IIS. This is working fine when anonymous authentication is enabled. When it's disabled it's throwing 401 error when i use the rest api call in postman. In IIS anonymous authentication and Forms authentication are enabled. Now i disabled Anonymous and Forms and enabled windows authentication only.
My code is below:
public class SampleWebServiceHostFactory : WebServiceHostFactory
{
private Type ContractServiceType;
private static readonly log4net.ILog log = log4net.LogManager.GetLogger(System.Reflection.MethodBase.GetCurrentMethod().DeclaringType);
public SampleWebServiceHostFactory(Type contractServiceType):base()
{
ContractServiceType = contractServiceType;
}
protected override ServiceHost CreateServiceHost(Type serviceType, Uri[] baseAddresses)
{
WebServiceHost host = (WebServiceHost)base.CreateServiceHost(serviceType,baseAddresses);
ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12;
WebHttpBinding mybinding = new WebHttpBinding(WebHttpSecurityMode.Transport);
mybinding.Security.Transport.ClientCredentialType = HttpClientCredentialType.Windows;
mybinding.MaxReceivedMessageSize = 2147483647;
mybinding.TransferMode = TransferMode.StreamedRequest;
mybinding.ReaderQuotas.MaxDepth = 1204;
mybinding.ReaderQuotas.MaxStringContentLength = 2147483647;
mybinding.ReaderQuotas.MaxArrayLength = 2147483647;
mybinding.ReaderQuotas.MaxBytesPerRead = 2147483647;
mybinding.ReaderQuotas.MaxNameTableCharCount = 2147483647;
mybinding.SendTimeout = new TimeSpan(4,0,0);
mybinding.ReceiveTimeout = new TimeSpan(4,0,0);
host.AddServiceEndpoint(ContractServiceType, mybinding, "");
host.Description.Behaviors.Add(new RestServiceBehavior());
log.Info("Testing1");
return host;
}
}
the below code in config file
<system.serviceModel>
<client/>
<serviceHostingEnvironment aspNetCompatibilityEnabled="true" multipleSiteBindingsEnabled="true"/>
<behaviors>
<serviceBehaviors>
<behavior>
<serviceMetadata httpGetEnabled="false" httpsGetEnabled="false"/>
<serviceDebug httpHelpPageEnabled="false" httpsHelpPageEnabled="false" includeExceptionDetailInFaults="true"/>
</behavior>
</serviceBehaviors>
</behaviors>
<bindings>
<webHttpBinding>
<binding receiveTimeout="00:10:00" sendTimeout="00:10:00" maxReceivedMessageSize="2147483647">
<readerQuotas maxDepth="64" maxStringContentLength="2147483647" maxArrayLength="2147483647" maxBytesPerRead="2147483647" maxNameTableCharCount="2147483647"/>
</binding>
</webHttpBinding>
</bindings>
</system.serviceModel>
I have enabled logging in Global.asax to see where issue occurs. After the Session_Start method fired i see the log line "Testing1" in the above code. After that no logging and it threw 401 error in postman and keep on asking for username and password when i use the url in in browser.
Now that we have already set up the configuration in the constructor of the WebServiceHostFactory, It is unnecessary to configure it in the configuration file separately.
<webHttpBinding>
<binding receiveTimeout="00:10:00" sendTimeout="00:10:00" maxReceivedMessageSize="2147483647">
<readerQuotas maxDepth="64" maxStringContentLength="2147483647" maxArrayLength="2147483647" maxBytesPerRead="2147483647" maxNameTableCharCount="2147483647"/>
</binding>
</webHttpBinding>
I suggest you refer to the below configuration for Windows Authentication.
<system.serviceModel>
<services>
<service name="WcfService3.Service1">
<endpoint address="" behaviorConfiguration="rest" contract="WcfService3.IService1" binding="webHttpBinding" bindingConfiguration="https"></endpoint>
</service>
</services>
<behaviors>
<serviceBehaviors>
<behavior>
<serviceMetadata httpGetEnabled="true" httpsGetEnabled="true" />
<serviceDebug includeExceptionDetailInFaults="true"/>
</behavior>
</serviceBehaviors>
<endpointBehaviors>
<behavior name="rest">
<webHttp helpEnabled="true"/>
</behavior>
</endpointBehaviors>
</behaviors>
<bindings>
<webHttpBinding>
<binding name="https">
<security mode="Transport">
<transport clientCredentialType="Windows">
</transport>
</security>
</binding>
</webHttpBinding>
</bindings>
</system.serviceModel>
After that, disable other authentication modes in IIS. We need to provide a pair of windows credentials while calling the service.
The credential is actually the windows account on the server-side, which enables us to access the website.
Feel free to let me know if the problem still exists.
Related
I created a REST api using asp.net vb and I was trying to invoke the api through secure connection (https) but I had an error
The resource cannot be found
I can invoke any method using (http), but with (https) I can't. And I can access the main page of api (service.svc) using the (https) but the problem with functions!! below are my config and function header.
<system.serviceModel>
<services>
<service name="RESTAPI" behaviorConfiguration="MyServiceTypeBehaviors">
<endpoint address="customBinding" binding="customBinding" bindingConfiguration="basicConfig" contract="RESTAPI"/>
<endpoint address="" behaviorConfiguration="HerbalAPIAspNetAjaxBehavior"
binding="webHttpBinding" contract="HerbalAPI" />
<endpoint contract="RESTAPI" binding="mexHttpBinding" address="mex" />
</service>
</services>
<!-- **** Services ****-->
<behaviors>
<serviceBehaviors>
<behavior name="MyServiceTypeBehaviors">
<serviceMetadata httpGetEnabled="true" httpsGetEnabled="true"/>
<serviceDebug includeExceptionDetailInFaults="true"/>
</behavior>
</serviceBehaviors>
<endpointBehaviors>
<behavior name="HerbalAPIAspNetAjaxBehavior">
<webHttp helpEnabled="true" />
</behavior>
</endpointBehaviors>
</behaviors>
<bindings>
<customBinding>
<binding name="basicConfig">
<binaryMessageEncoding/>
<httpTransport transferMode="Streamed" maxReceivedMessageSize="67108864"/>
</binding>
</customBinding>
</bindings>
<serviceHostingEnvironment aspNetCompatibilityEnabled="true"
multipleSiteBindingsEnabled="true" />
API Class
<ServiceContract(Namespace:="")>
<AspNetCompatibilityRequirements(RequirementsMode:=AspNetCompatibilityRequirementsMode.Allowed)>
Public Class RESTAPI
<OperationContract()>
<WebInvoke(Method:="GET", ResponseFormat:=WebMessageFormat.Json, RequestFormat:=WebMessageFormat.Json)>
Public Function test(ByVal st As String) As JSONResultString
//any code
End Function
End Class
You need to define a special binding configuration in your web.config file to allow the SVC service to bind correctly for HTTPS requests.
Please have a look at this blog post: https://weblogs.asp.net/srkirkland/wcf-bindings-needed-for-https
Your service will already be defined in the web.config, just add the bindingConfiguration attribute:
<services>
<service name="TestService">
<endpoint address="" behaviorConfiguration="TestServiceAspNetAjaxBehavior"
binding="webHttpBinding" bindingConfiguration="webBindingHttps" contract="TestService" />
</service>
</services>
Then define the special binding settings for the webHttpBinding as so, the magic part that fixes the HTTPS request is the <security mode="Transport" />:
<bindings>
<webHttpBinding>
<binding name="webBindingHttps">
<security mode="Transport">
</security>
</binding>
</webHttpBinding>
</bindings>
This will effectively switch the service over to HTTPS, but if you want to have both HTTP and HTTPS to work you need to define 2 binding configurations and then have 2 identical endpoints per service, where the one uses the http bindingConfiguration and the other uses the https bindingConfiguration like so:
<bindings>
<webHttpBinding>
<binding name="webBindingHttps">
<security mode="Transport">
</security>
</binding>
<binding name="webBindingHttp">
<!-- Nothing special here -->
</binding>
</webHttpBinding>
</bindings>
<services>
<service name="TestService">
<endpoint address="" behaviorConfiguration="TestServiceAspNetAjaxBehavior"
binding="webHttpBinding" bindingConfiguration="webBindingHttps" contract="TestService" />
<endpoint address="" behaviorConfiguration="TestServiceAspNetAjaxBehavior"
binding="webHttpBinding" bindingConfiguration="webBindingHttp" contract="TestService" />
</service>
</services>
I'd like to deploy a dual interface (SOAP/REST/XML/JSON) WCF service in IIS with just a config file and the binaries and no svc file in the URL
We use VS2012 and .Net 4.5
We have something like it working, I followed a guide here:
http://blogs.msdn.com/b/rjacobs/archive/2010/04/05/using-system-web-routing-with-data-services-odata.aspx
I added a Global class with
public class Global : HttpApplication
{
void Application_Start(object sender, EventArgs e)
{
RegisterRoutes();
}
private void RegisterRoutes()
{
DataServiceHostFactory factory = new DataServiceHostFactory();
RouteTable.Routes.Add(new ServiceRoute("wrap", factory, typeof(NeOtheWrapper)));
}
}
And I used my existing web.config which defines all the endpoints:
<system.serviceModel>
<!-- Clients -->
<client>
<endpoint name="MySoftLive" address="https://backof.somewebsitett.com/Cmp.MySoft.bl/MySoft.svc" binding="basicHttpsBinding" bindingConfiguration="soapSecureBindingConfig" contract="Cmp.MySoft.BL.WCF.MySoftInterface" />
<endpoint name="MySoftTest" address="http://localhost:49957/MySoft.svc" binding="basicHttpBinding" bindingConfiguration="soapBindingConfig" contract="Cmp.MySoft.BL.WCF.MySoftInterface" />
</client>
<!-- Services -->
<services>
<service name="Cmp.MySoft.BL.NeOthe.NeOtheWrapper">
<endpoint name="rest" address="rest" behaviorConfiguration="restEndpointBehaviour" binding="webHttpBinding" bindingConfiguration="restBindingConfig" contract="Cmp.MySoft.BL.NeOthe.INeOtheWrapper"/>
<endpoint name="restSecure" address="rest" behaviorConfiguration="restEndpointBehaviour" binding="webHttpBinding" bindingConfiguration="restSecureBindingConfig" contract="Cmp.MySoft.BL.NeOthe.INeOtheWrapper"/>
<endpoint name="mex" address="mex" behaviorConfiguration="" binding="mexHttpBinding" bindingConfiguration="mexBindingConfig" contract="Cmp.MySoft.BL.NeOthe.INeOtheWrapper"/>
<endpoint name="mexSecure" address="mex" behaviorConfiguration="" binding="mexHttpsBinding" bindingConfiguration="mexSecureBindingConfig" contract="Cmp.MySoft.BL.NeOthe.INeOtheWrapper"/>
<endpoint name="soap" address="soap" behaviorConfiguration="" binding="basicHttpBinding" bindingConfiguration="soapBindingConfig" contract="Cmp.MySoft.BL.NeOthe.INeOtheWrapper"/>
<endpoint name="soapSecure" address="soap" behaviorConfiguration="" binding="basicHttpsBinding" bindingConfiguration="soapSecureBindingConfig" contract="Cmp.MySoft.BL.NeOthe.INeOtheWrapper"/>
</service>
</services>
<!-- Binding Configurations -->
<bindings>
<webHttpBinding>
<binding name="restBindingConfig">
<security mode="None"/>
</binding>
<binding name="restSecureBindingConfig">
<security mode="Transport"/>
</binding>
</webHttpBinding>
<mexHttpBinding>
<binding name="mexBindingConfig"/>
</mexHttpBinding>
<mexHttpsBinding>
<binding name="mexSecureBindingConfig"/>
</mexHttpsBinding>
<basicHttpsBinding>
<binding name="soapSecureBindingConfig">
<security mode="Transport"/>
</binding>
</basicHttpsBinding>
<basicHttpBinding>
<binding name="soapBindingConfig">
<security mode="None"/>
</binding>
</basicHttpBinding>
</bindings>
<!-- Behaviour Configurations -->
<behaviors>
<endpointBehaviors>
<behavior name="restEndpointBehaviour">
<webHttp helpEnabled="true" defaultBodyStyle="Bare" defaultOutgoingResponseFormat="Json" automaticFormatSelectionEnabled="true" faultExceptionEnabled="true" />
</behavior>
</endpointBehaviors>
<serviceBehaviors>
<behavior name="">
<serviceMetadata httpGetEnabled="true" httpsGetEnabled="true" />
<serviceDebug includeExceptionDetailInFaults="true" />
<dataContractSerializer maxItemsInObjectGraph="2147483647" />
</behavior>
</serviceBehaviors>
</behaviors>
<!-- Hosting Environment Settings -->
<serviceHostingEnvironment aspNetCompatibilityEnabled="true"/>
</system.serviceModel>
It compiles, runs and if I browse to http://mypc:12345/wrap/rest/help I get the auto generated ASP.NET REST help page.
But, if I go to http://mypc:12345/wrap/soap/ I get 400 Bad Request.
I can't suffix that with ?wsdl to get the wsdl, or pass the url to svcutil (soap+xml not expected)
I was hoping the .SVC SOAP place holder page would appear, same as /help does for REST.
If I browse to the .svc file (it's at the same level as /wrap) that works and the soap service works, as does meta data publishing.
Am I using the wrong URL or is my configuration wrong?
If you're using WCF 4.0 or later, you can use "file-less" activation. Add something like the following to config your file:
<serviceHostingEnvironment multipleSiteBindingsEnabled="true">
<serviceActivations>
<add factory="System.ServiceModel.Activation.ServiceHostFactory"
relativeAddress="Soap.svc"
service="Cmp.MySoft.BL.NeOthe.NeOtheWrapper" />
</serviceActivations>
</serviceHostingEnvironment>
This allows you to host a WCF service without a physical .svc file. The relativeAddress is relative to the base address of the site, and you'll need to create the IIS application as usual.
See the "File-Less activation" section in A Developer's Introduction to Windows Communication Foundation 4 for more information.
As it normally happens, I accidentally overwrote my web.config file this morning that has my WCF settings already working perfectly. As you would expect, no backup...shame shame shame on me.
That being said, I can't seem to get my configuration working again.
Here is the error that I keep getting back from IIS/ASP.NET
The message with Action '' cannot be processed at the receiver, due to
a ContractFilter mismatch at the EndpointDispatcher. This may be
because of either a contract mismatch (mismatched Actions between
sender and receiver) or a binding/security mismatch between the sender
and the receiver. Check that sender and receiver have the same
contract and the same binding (including security requirements, e.g.
Message, Transport, None).
Here is an overview of what I have setup.
My Web Config:
<system.serviceModel>
<bindings>
<webHttpBinding>
<binding name="Binding1" maxReceivedMessageSize="10000000">
<readerQuotas maxArrayLength="10000000" />
<security mode="Transport"></security>
</binding>
</webHttpBinding>
</bindings>
<behaviors>
<serviceBehaviors>
<behavior>
<serviceMetadata httpGetEnabled="true" httpsGetEnabled="true" />
<serviceDebug includeExceptionDetailInFaults="true" />
</behavior>
</serviceBehaviors>
</behaviors>
<serviceHostingEnvironment multipleSiteBindingsEnabled="true" />
<services>
<service name="MyService">
<endpoint address="" binding="webHttpBinding" bindingConfiguration="Binding1" contract="IMyService" />
</service>
</services>
</system.serviceModel>
Here is the declaration in my Service Contract:
[OperationContract]
[WebInvoke(Method = "POST", UriTemplate = "/SSMX", BodyStyle = WebMessageBodyStyle.WrappedRequest, RequestFormat = WebMessageFormat.Json, ResponseFormat = WebMessageFormat.Json)]
sqlStudio_Table_Permissions SSMX(string TableName);
Sadly I just can't seem to remember what I did in my previous configuration to make this work.
Any help would be appreciated.
I'm trying to add workflowControlEndpoint to my IIS hosted XAMLX service. I cannot reference the control endpoint from client, I keep getting the following error
The request failed with HTTP status 404: Not Found.
Metadata contains a reference that cannot be resolved: 'http://localhost/Test.xamlx/wce'.
Content Type application/soap+xml; charset=utf-8 was not supported by service 'http://mymachine/Test.xamlx/wce'. The client and service bindings may be mismatched.
The remote server returned an error: (415) Cannot process the message because the content type 'application/soap+xml; charset=utf-8' was not the expected type 'text/xml; charset=utf-8'..
I've the following web.config. Could someone point to me what I'm missing? Thanks and appreciate the help....
<system.serviceModel>
<behaviors>
<serviceBehaviors>
<behavior>
<serviceMetadata httpGetEnabled="true" />
<serviceDebug includeExceptionDetailInFaults="true" />
</behavior>
</serviceBehaviors>
</behaviors>
<bindings>
<basicHttpBinding>
<binding closeTimeout="00:10:00" openTimeout="00:10:00" receiveTimeout="00:10:00" sendTimeout="00:10:00" maxReceivedMessageSize="2147483647" transferMode="StreamedResponse">
<readerQuotas maxDepth="2147483647" maxStringContentLength="2147483647" maxArrayLength="2147483647" />
<security mode="TransportCredentialOnly">
<transport clientCredentialType="Windows" proxyCredentialType="Windows" />
</security>
</binding>
<binding name="httpSecurityOff" closeTimeout="00:10:00" openTimeout="00:10:00" receiveTimeout="00:10:00" sendTimeout="00:10:00" maxReceivedMessageSize="2147483647"
allowCookies="false" bypassProxyOnLocal="false" hostNameComparisonMode="StrongWildcard" maxBufferSize="2147483647" maxBufferPoolSize="2147483647"
transferMode="Streamed" useDefaultWebProxy="true">
<readerQuotas maxDepth="2147483647" maxStringContentLength="2147483647" maxArrayLength="2147483647" />
<security mode="None">
<transport clientCredentialType="None" proxyCredentialType="None" realm="" />
<message clientCredentialType="UserName" algorithmSuite="Default"/>
</security>
</binding>
</basicHttpBinding>
<service name="Test">
<endpoint address="" binding="basicHttpBinding" contract="IService" />
<endpoint address="mex" binding="mexHttpBinding" contract="IMetadataExchange" />
<endpoint address="wce" binding="basicHttpBinding"
bindingConfiguration="httpSecurityOff"
contract="System.ServiceModel.Activities.IWorkflowInstanceMangement"
kind="workflowControlEndpoint" />
</service>
I was trying to get the IWorkflowInstanceManagement to work via the WCF Test Client, but I never could get it to find the metadata. So I just tried to communicate with it via code. It worked for me.
I created a new Workflow Service project, and my web.config looks like this:
<?xml version="1.0" encoding="utf-8" ?>
<configuration>
<system.web>
<compilation debug="true" targetFramework="4.0" />
</system.web>
<connectionStrings>
<add name="ApplicationServices" connectionString="data source=localhost\SQLEXPRESS;Initial Catalog=WFS;Integrated Security=True" providerName="System.Data.SqlClient" />
</connectionStrings>
<system.serviceModel>
<behaviors>
<serviceBehaviors>
<behavior name="workflowBehavior">
<serviceMetadata httpGetEnabled="True" />
<serviceDebug includeExceptionDetailInFaults="true" />
<sqlWorkflowInstanceStore instanceCompletionAction="DeleteAll"
instanceEncodingOption="GZip"
instanceLockedExceptionAction="BasicRetry"
connectionStringName="ApplicationServices"
hostLockRenewalPeriod="00:00:20"
runnableInstancesDetectionPeriod="00:00:05" />
<workflowInstanceManagement authorizedWindowsGroup="AS_Administrators" />
<workflowUnhandledException action="Terminate" />
<workflowIdle timeToPersist="00:01:00" timeToUnload="00:01:00" />
</behavior>
<behavior name="wceBehavior">
<serviceMetadata httpGetEnabled="True" />
<serviceDebug includeExceptionDetailInFaults="true" />
</behavior>
</serviceBehaviors>
</behaviors>
<serviceHostingEnvironment multipleSiteBindingsEnabled="true" />
<services>
<service name="Service1" behaviorConfiguration="workflowBehavior">
<endpoint binding="basicHttpBinding" address="" contract="IService" />
<endpoint binding="basicHttpBinding" address="wce" kind="workflowControlEndpoint" />
</service>
</services>
</system.serviceModel>
<system.webServer>
<modules runAllManagedModulesForAllRequests="true"/>
</system.webServer>
</configuration>
Then I created a console app with the following code (I know this is not the best way to use ChannelFactory):
var binding = new BasicHttpBinding(BasicHttpSecurityMode.None);
var channelFactory = new ChannelFactory<IWorkflowInstanceManagement>(binding);
var channel = channelFactory.CreateChannel(new EndpointAddress("http://localhost/WorkflowControlTest/Service1.xamlx/wce"));
channel.Cancel(new Guid("DE212DE0-6BFF-4096-BF30-F6ACB2923B50"));
My workflow just runs in a loop running a delay for a few minutes. I was able to start a workflow instance via the WCF Test Client, then grab the Workflow Instance ID from the persistence database, and then run the console app to cancel the workflow.
Go to "Control Panel > Programs and Features > Turn Windows Features on or off" and check if following features are checked:
.NET Framework 3.5
.NET Framework 4.5 Advanced Services > WCF Services
I'm connecting to a WCF service in an ASP.NET app. I'm logging in using one username and password and passing the actual username of whoevever is logged into the ASP.NET web app in a message header as below.
using (OperationContextScope scope = new OperationContextScope(myService2.InnerChannel))
{
Guid myToken = Guid.NewGuid();
MessageHeader<string> messageHeader = new MessageHeader<string>(HttpContext.Current.User.Identity.Name);
MessageHeader untyped = messageHeader.GetUntypedHeader("token", "ns");
OperationContext.Current.OutgoingMessageHeaders.Add(untyped);
lblResult.Text = myService2.GetData(1231);
}
I'm also using a service certificate as below
<serviceCredentials>
<serviceCertificate findValue="CN=tempCert" />
<userNameAuthentication userNamePasswordValidationMode="MembershipProvider"
membershipProviderName="MySqlMembershipProvider" />
</serviceCredentials>
What I'm worried about is whether this sufficient protection to stop people getting at the username stored in the message header?
ASP.NET config is
<system.serviceModel>
<behaviors>
<endpointBehaviors>
<behavior name="NewBehavior">
<clientCredentials>
<serviceCertificate>
<authentication revocationMode="NoCheck"/>
</serviceCertificate>
</clientCredentials>
</behavior>
</endpointBehaviors>
</behaviors>
<bindings>
<wsHttpBinding>
<binding name="wsHttpEndpoint" closeTimeout="00:01:00" openTimeout="00:01:00" receiveTimeout="00:10:00" sendTimeout="00:01:00" bypassProxyOnLocal="false" transactionFlow="false" hostNameComparisonMode="StrongWildcard" maxBufferPoolSize="524288" maxReceivedMessageSize="65536" messageEncoding="Text" textEncoding="utf-8" useDefaultWebProxy="true" allowCookies="false">
<readerQuotas maxDepth="32" maxStringContentLength="8192" maxArrayLength="16384" maxBytesPerRead="4096" maxNameTableCharCount="16384"/>
<reliableSession ordered="true" inactivityTimeout="00:10:00" enabled="false"/>
<security mode="Message">
<transport clientCredentialType="Windows" proxyCredentialType="None" realm=""/>
<message clientCredentialType="UserName" negotiateServiceCredential="true" algorithmSuite="Default" establishSecurityContext="true"/>
</security>
</binding>
</wsHttpBinding>
</bindings>
<client>
<endpoint address="http://localhost/WCFTestService/Service.svc" behaviorConfiguration="NewBehavior" binding="wsHttpBinding" bindingConfiguration="wsHttpEndpoint" contract="WCFTestService.IService" name="wsHttpEndpoint">
<identity>
<certificate encodedValue=""/>
</identity>
</endpoint>
</client>
</system.serviceModel>
and at the service side its
<system.serviceModel>
<bindings>
<wsHttpBinding>
<binding name="wsHttpEndpointBinding">
<security>
<message clientCredentialType="UserName" />
</security>
</binding>
</wsHttpBinding>
</bindings>
<services>
<service behaviorConfiguration="ServiceBehavior" name="Service">
<endpoint address="" binding="wsHttpBinding" bindingConfiguration="wsHttpEndpointBinding"
name="wsHttpEndpoint" contract="IService">
<!--<identity>
<dns value="" />
</identity>-->
</endpoint>
<endpoint address="mex" binding="mexHttpBinding" contract="IMetadataExchange" />
</service>
</services>
<behaviors>
<serviceBehaviors>
<behavior name="ServiceBehavior">
<serviceMetadata httpGetEnabled="true" />
<serviceDebug includeExceptionDetailInFaults="false" />
<serviceCredentials>
<serviceCertificate findValue="CN=tempCert" />
<userNameAuthentication userNamePasswordValidationMode="MembershipProvider"
membershipProviderName="MySqlMembershipProvider" />
</serviceCredentials>
</behavior>
</serviceBehaviors>
</behaviors>
The big question is: do you have any kind of transport-level or message-level security enabled on your binding? What binding are you using?
If you have transport-level security (typically through using HTTPS over SSL), then you have a point-to-point encrypted transport channel which I would deem very safe.
If you have message-level security using a certificate on the client, too, and you do encrypt the whole message, then you should be safe, too.
It really boils down to what binding you're using and what security settings you're using on that binding. Show us the server's config !
Marc