Home/ Questions/Q 8291739
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-08T13:14:12+00:00

I have been able to create a nice WCF service for an integration project

  • 0

I have been able to create a nice WCF service for an integration project that can return results in plain xml, json and soap. This works great up until the point where I start to implement security. The built in ws security features in wcf services are bypassed when using WebHttpBindings which work well with: 

<webHttp defaultOutgoingResponseFormat="Json"/>

and

[OperationContract()]
[WebGet(UriTemplate = "GetSomething/{someID}/{anotherID}?somethingElse={somethingElse}")]
SomeResponse GetSomething(string someID,string anotherID, DateTime somethingElse)

I enjoyed playing with my first restful api but alas I need to finish a project and a requirement is to include a secure authentication policy. I am not required to return the results as json, nor must it be a rest service, but this has stoked my curiosity.

…any good ideas pertaining to authentication strategies/WCF REST services?

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    You may want clientCredentialType=”Certificate” or “Windows”

    <webHttpBinding>
  <binding name ="RestSSL">
    <security mode ="Transport">
      <transport clientCredentialType= "Windows" />
    </security>
  </binding>                
</webHttpBinding>

    If you use certificate, you’ll need to also set the serviceBehavior’s certificateValidationMode to something like PeerTrust, ChainTrust, etc. http://msdn.microsoft.com/en-us/library/system.servicemodel.security.x509certificatevalidationmode.aspx

    <behaviors>
  <serviceBehaviors>
    <behavior>
      <dataContractSerializer maxItemsInObjectGraph="1048576"/>
      <serviceMetadata httpGetEnabled="False" httpsGetEnabled="True"/>
      <serviceDebug includeExceptionDetailInFaults="False"/>
      <serviceCredentials>
        <!-- Please note: the app pool will need an identity with access to this cert-->
        <serviceCertificate findValue="myCertSubject.myDomain.com"
                            storeLocation="LocalMachine"
                            storeName="My"
                            x509FindType="FindBySubjectName"/>
        <clientCertificate>
          <authentication certificateValidationMode="PeerTrust"/>
        </clientCertificate>
      </serviceCredentials>
    </behavior>
  </serviceBehaviors>
    • 0