Is it possible to hack a WCF client to pass message credentials w/out SSL?_问答_开发者

Is it possible to hack a WCF client to pass message credentials w/out SSL?

开发者 https://www.devze.com 2022-12-10 07:16 出处：网络

I wrote a custom WCF binding a while back to allow my load balanced farm to host services via IIS.The reason for the custom binding was that each server didn\'t have SSL but needed the ability to acce

I wrote a custom WCF binding a while back to allow my load balanced farm to host services via IIS. The reason for the custom binding was that each server didn't have SSL but needed the ability to accept a client credential of username + password. The proxy in front of this farm has SSL so the traffic would be encrypted outside the firewall. 开发者_如何学编程 This custom binding works fine but now I'm at the point where I need to watch the traffic from my machine locally and wanted to do this w/out SSL in the mix.

The issue is this - on the .net client if I set my security mode = "TransportWithMessageCredential" I must have SSL else I get the fun error "invalid scheme, expected https"

Is it possible to write something custom for the client to "ignore" that SSL is missing but still let me pass the username + password via the SOAP header?

Yup, I wrote a blog post about this a while back called "How To: SSL Passthrough with WCF --or-- TransportWithMessageCredential over plain HTTP".

The short of it is that you need to create your own HttpTransportBindingElement subclass which "lies" about providing security.

There is a Hotfix for .net 3.5 sp1 that adds a AllowInsecureTransport property to the SecurityBindingElement. This will also be in .net 4 beta 2.

I assume, on your custom binding, that you also get an error if you just use security mode="Message"? A custom binding wasn't really necessary, since (if I'm not mistaken) you can use the wsHttpBinding with security mode="Message" (not requiring SSL).

Another alternative is to just generate an SSL certificate yourself, install it in IIS, and implement a trust all certificate policy in your calling code, but this is generally frowned upon (as is sending user names and passwords over an insecure channel).

A third option is to change your contract's operations to accept user names and passwords (or some sort of token) as a parameter, or change your data contracts so you can send the information along with whatever object you may already be sending.