We have a WCF service and I use wsHttpBinding with transport security and custom authentication.
I recently discovered that secure sessions are on by default (see this SO question).
I'm surprised that such a feature is on by default. I开发者_如何学Python thought that by default I'd get the simplest configuration and that additional features would be on an opt-in basis.
I want to start with the simplest possible feature set and then decide to opt-in for more features.
So my question is: What are the other features that are enabled by default and how can I turn them off?
It depends :-) as per usual.
Do you want to have an externally facing service, that users from outside your network can call into? If so, then use either the basicHttpBinding which is basically the same as the legacy ASMX web services (SOAP 1.1, really basic, hardly any security and no reliability features). Or use wsHttpBinding (SOAP 1.2, WS-* stuff) from the beginning, but turn off all the features at first.
With the basicHttpBinding, there's no a whole lot to "turn on" later on - you're kinda stuck and need to e.g. switch to wsHttpBinding or create your own custom binding beyond that basic features. wsHttpBinding is pretty heavy-weight, but most of those features like security, reliability etc. can be turn off or back on later. BUT: not every client app out there can connect to wsHttpBinding endpoints.
OR: use several endpoints! One really simple one using basicHttp for "legacy" clients, one more advanced with wsHttpBinding - that's the beauty of a WCF service - you write the service code once and expose it on a gazillion different endpoints, as your clients need them!
If you're internal, inside the company firewall the choice is easy - use netTcpBinding - it's fast (since it uses binary instead of text encoding) and has lots of features that can be tweaked.
UPDATE: since it's an externally facing service, and all kinds of clients might connect, I would use the basicHttpBinding with username/password security:
<system.serviceModel>
<bindings>
<wsHttpBinding>
<binding name="wsMsgSec">
<security mode="Message">
<message clientCredentialType="None" establishSecurityContext="false" negotiateServiceCredential="false"/>
</security>
<reliableSession enabled="false"/>
</binding>
</wsHttpBinding>
</bindings>
<services>
<service name="YourService">
<endpoint
address=""
binding="wsHttpBinding"
bindingConfiguration="wsMsgSec"
contract="IYourServiceContract" />
</service>
</services>
</system.serviceModel>
For the "clientCredentialType" on the message security tag, you could also use "UserName" - in that case, you would have to set up some infrastructure (e.g. the ASP.NET membership provider system) in order to validate the incoming username/password credentials.
Also, definitely check out the WCF Security Guidance which has step-by-step explanations for a plethora of different security scenarios, and what to do for each in web.config and your WCF config.
wsHttpBinding is a very complex binding built for layering lots of WS-* goo on top of. BasicHttpBinding might be a better place to start- it's just simple SOAP over HTTP- sounds more like what you're after. It's very interoperable, but you can still turn on a lot of WS-* behavior later.
The listing of all the possible attributes of wsHttpBinding are available - you could go through them and decide which ones you'd like to explicitly set based on your endpoint requirements.
![Interactive visualization of a graph in python [closed]](https://www.devze.com/res/2023/04-10/09/92d32fe8c0d22fb96bd6f6e8b7d1f457.gif)
加载中,请稍侯......
精彩评论