This question already has an answer here:
Closed 10 years ago.
Possible Duplicate:
Restricting WCF Service access to only localhost
I have a WCF method set up for a .NET project.
I can enable the endpoint to work over https and / or http.
However, I only want the HTTP version (bindingConfiguration="webBinding") to work on localhost. Is there a way to restrict this in the web.config?
I had very limited success setting <endpoint address="localhost/"myproj/mysvc.svc" /> but ultimately didnt work.
Source: Configure WCF for LOCALHOST-only listening
Try to set the BasicHttpBinding.HostNameComparisonMode Property to HostNameComparisonMode.Exact.
or in config file..
<bindings>
<basicHttpBinding>
<binding name="Binding1"
hostNameComparisonMode ="Exact">
<security mode="None" />
</binding>
</basicHttpBinding>
</bindings>
But better is to use the named pipe binding, which should support whatever message exchange pattern you are using (it supports request-response, as well as the same concurrency and session state modes that WS supports).
From the section of MSDN titled "Choosing a Transport"
Hope this help..
Related
<configuration>
<system.serviceModel>
<bindings>
<basicHttpBinding>
<binding name="DataSoap" maxBufferSize="2147483647" maxReceivedMessageSize="2147483647">
<security mode="Transport" />
</binding>
</basicHttpBinding>
<customBinding>
<binding name="CustomBinding_GetData">
<binaryMessageEncoding />
<httpsTransport maxReceivedMessageSize="2147483647" maxBufferSize="2147483647" />
</binding>
</customBinding>
</bindings>
<client>
<endpoint address="https://localhost/MyApp.Web/Webservice/Data.asmx"
binding="basicHttpBinding" bindingConfiguration="DataSoap"
contract="ServiceReference1.DataSoap" name="DataSoap" />
<endpoint address="https://localhost/MyApp.Web/Webservice/GetData.svc"
binding="customBinding" bindingConfiguration="CustomBinding_GetData"
contract="GetData.GetData" name="CustomBinding_GetData" />
</client>
</system.serviceModel>
Hello every one, above is my silverlight applications ServiceReferences.ClientConfig file. The site is configured to be accessed over https. From the above file, i would imagine i have everything configured correctly. I can browser to my service from local development environment successfully but after deploying the application in my QA environment, browing to the service gives me the error below.
Could not find a base address that matches scheme https for the endpoint with binding CustomBinding. Registered base address schemes are [http].
Any i dea why http is still being picked as the registered base address schemes only QA but not in my local development environment?.
EDIT:
#Brian, thanks for the reply, let me give you more information just in case it gives a much clear picture.
The site is configured for SSL, but the SSL certificate is installed on a load balancer which i have no access to.
Now from the error message, it would seem like i have to configure Host Headers and Secure Site Bindings in IIS, but can i really do this from IIS when the SSL certificate is installed and managed from the load balancer?
IT looks like the https binding are what is missing because i can reproduce the exact same error message from my development machine if i temporarily remove the https binding i created following this link.
http://weblogs.asp.net/scottgu/tip-trick-enabling-ssl-on-iis7-using-self-signed-certificates.
So would i be right to think that i need that https binding on the load balancer rather than in IIS because the site has no SSL certificate of its own in IIS?
I ran into this problem. Basically, the URL identity associated with the certificate doesn't match the URL of the website from which it comes ... at least that was my problem.
I was able to work around this client-side security check by specifically setting (in code) the System.ServiceModel.EndPointIdentity to the URL I was connecting to.
There's a CreateDNSIdentity() function to which you give the URL of the website you're hitting.
Here's a link to the MS documentation: http://msdn.microsoft.com/en-us/library/system.servicemodel.endpointidentity.creatednsidentity(v=vs.110).aspx
I'm not sure how you'd configure this without using code.
String sFullURL = "http://MyDNSServer:8001/SomeService"
String sDNS = "MyDNSServer";
System.ServiceModel.EndpointAddress Endpoint;
System.ServiceModel.EndpointIdentity Identity = default (System.ServiceModel.EndpointIdentity);
Identity = System.ServiceModel.EndpointIdentity.CreateDnsIdentity(sDNS);
EndPoint = new System.ServiceModel.EndpointAddress(new Uri(sFullURL), Identity);
UPDATE
OK, so imagine you had a web service and the public address for this web service was IP https:// 10.134.116.161:8001/MyService. The certificate below would pass the client-side cert verification check and you would not get an error. But if this certificate shown in the picture below is deployed on public URL https:// XZYCorp:8001/MyService, you'll get that error. So you either need to override the client side cert verification check or change the cert on the LB.
I would like to pass the Windows credentials of the user using my ASP.NET MVC application to a WCF service. I want to achieve this via configuration only so that this happens transparently in code.
(This question was originally asked in a too specific manner, as can be seen in the revisions. I only re-asked this in a better way to answer my own in hopes it might help someone. It turned out to be a pretty simple task).
In the web.config (client and server), in the <system.serviceModel> section add/modify a binding to look something like this:
<basicHttpBinding>
<binding name="MyBasicBinding">
<security mode="TransportCredentialOnly">
<transport clientCredentialType="Windows" />
</security>
</binding>
</basicHttpBinding>
And, add this to client side web.config <system.web> section:
<identity impersonate="true" />
<authentication mode="Windows" />
The two changes will make the end-user the current user of the web request which will then be sent in the WCF message.
The user can then be retrieved on the server side like this:
ServiceSecurityContext.Current.WindowsIdentity
I'm integrating af ASP.NET application, which must consume a 3rd party SOAP web service, which can only be accessed by HTTPS. I add a service reference i VS2012 with the HTTPS URL and VS find the service just fine. But when I use the proxy that VS create to use the web service, it uses regular HTTP.
I suspect that I should alter the binding in the web.config, but I can't seem to figure out what to do. How do I set up the web service to use HTTPS?
You need to make sure that the binding the client uses has security mode="Transport" set up (and that the client binding matches the server binding), something like this for example:
<binding name="yourClientSecureBinding">
<security mode="Transport">
<transport clientCredentialType="None"/>
</security>
</binding>
and that the client indeed accesses the httpS:// address of the web service:
<client>
<endpoint bindingConfiguration="yourClientSecureBinding"
address="https://..."
... />
</client>
You are not providing any code, so for starters have a look at these posts: here (Microsoft developer network - Transport Security with an Anonymous Client) and here (Https with BasicHTTPBinding).
I'm using Visual Studio Express 2010, I've created WCF service called OperatorService.svc. Two files were added to my App_Code IOperatorService.cs and OperatorService.cs.
My web.config was updated with
<system.serviceModel>
<services>
<service name="OperatorService">
<endpoint address="https://ssl.mysite.com/WCF/OperatorService"
binding="ws2007HttpBinding"
bindingConfiguration="SecurityByTransport"
contract="IOperatorService" />
</service>
</services>
<bindings>
<basicHttpBinding>
<binding name="SecurityByTransport">
<security mode="Transport">
<transport clientCredentialType="None" />
</security>
</binding>
</basicHttpBinding>
</bindings>
</system.serviceModel>
Now when i'm trying to access this service online, get an error to create EndPoint but i can't figure our how to create EndPoint especially when WCF address is SSL HTTPS: enabled website.
Can someone help meh?
The endpoint address, if you are IIS hosting, should be either left empty or a relative address.
WCF services can have base addresses. A base address defines a core part of the address space that the service can listen on and endpoints are defined relative to that base address. If you leave the address empty then the endpoint listens on the base address.
When you are self hosting you can specify a base address in a couple of different ways: in the ServiceHost constructor or in the config file. However, if you are IIS hosting then the base address is already a given - it is the location of the .svc file
As far as HTTPS goes, if you say that you are using transport security then the base address will automatically map to HTTPS as long as that is enabled as a protocol in web application in IIS manager. However, if you are using the Visual Studio Web Development Server (aka Cassini) then that does not support SSL
Launch the WCF config tool (SvcConfigEditor.exe, it is a available in the menu of Visual Studio, otherwise the path should be C:\Program Files\Microsoft SDKs\Windows\v6.0\Bin) and open your config file, it is GUI tool to help you make a correct config.
The error in the config file is an incomplete endpoint element, you need to specify some attributes on the endpoint to make it work. The easiest way is to use the config tool, but of course it can be hand written. MSDN has a reference on the syntax.
I have imported an axis based wsdl into a VS 2008 project as a service reference.
I need to be able to pass security details such as username/password and nonce values to call the axis based service.
I have looked into doing it for wse, which i understand the world hates (no issues there)
I have very little experience of WCF, but have worked how to physically call the endpoint now, thanks to SO, but have no idea how to set up the SoapHeaders as the schema below shows:
<S:Envelope
xmlns:S="http://www.w3.org/2001/12/soap-envelope"
xmlns:ws="http://schemas.xmlsoap.org/ws/2002/04/secext">
<S:Header>
<ws:Security>
<ws:UsernameToken>
<ws:Username>aarons</ws:Username>
<ws:Password>snoraa</ws:Password>
</ws:UsernameToken>
</wsse:Security>
•••
</S:Header>
•••
</S:Envelope>
Any help much appreciated
Thanks, Mark
In order to call these kind of services, you will typically use either basicHttpBinding (that's SOAP 1.1 without WS-* implementations) or then wsHttpBinding (SOAP 1.2, with WS-* implementations).
The main issue will be getting all the security parameters right. I have a similar web service (Java-based) that I need to call - here's my settings and code:
app./web.config
<system.serviceModel>
<bindings>
<basicHttpBinding>
<binding name="SoapWithAuth" useDefaultWebProxy="false">
<security mode="TransportCredentialOnly">
<transport clientCredentialType="Basic" proxyCredentialType="None" realm="" />
</security>
</binding>
</basicHttpBinding>
</bindings>
<client>
<endpoint name="SoapWithAuth"
address="http://yourserver:port/YourService"
binding="basicHttpBinding"
bindingConfiguration="SoapWithAuth"
contract="IYourService" />
</client>
</system.serviceModel>
and then in your client's code when calling the service, you need this snippet of code:
IYourServiceClient client = new IYourServiceClient();
client.ClientCredentials.UserName.UserName = "username";
client.ClientCredentials.UserName.Password = "top-secret";
Does that help at all?
The WCF client proxy doesn't support the password digest option. The only way to do this is to build the UsernameToken yourself and then inject it into the SOAP headers before the message is sent.
I had a similar problem which is described here, which should be enough to help you solve your same issue.
I ended up using the old WSE3.0 library for the UsernameToken, rather than coding the hashing algorithm myself and then using a custom behavior to alter the SOAP headers.