I have a WCF service that I want to use message signing for, but only for certain calls- the rest should not be signed. I can't figure out how to set it up to support both.
The message signing uses a non-windows username and password that gets verified by a usernamepasswordvalidator on the service side. Both signed and unsigned messages should use transport security.
Here's an example of my interface:
[ServiceContract(ProtectionLevel=ProtectionLevel.None)]
public interface ISecTest
{
[OperationContract(ProtectionLevel = ProtectionLevel.Sign)]
string GetData(string value);
[OperationContract(ProtectionLevel = ProtectionLevel.None)]
string GetStuff(string stuff);
}
The problem I'm running into is that the signing seems to be based entirely on the service's binding configuration, as opposed to the ProtectionLevels defined on the interface.
If I use the following binding, both calls will require username credentials, regardless of the ProtectionLevel attributes:
<wsHttpBinding>
<binding name="secureWSHttpBindingConfig">
<security mode="TransportWithMessageCredential">
<message clientCredentialType="UserName" />
<transport clientCredentialType="None" />
</security>
</binding>
</wsHttpBinding>
If I omit the message security and use the following binding, then neither call requires credentials:
<wsHttpBinding>
<binding name="tolerantWSHttpBindingConfig">
<security mode="Transport">
<transport clientCredentialType="None" />
</security>
</binding>
</wsHttpBinding>
Is this a complication from using transport security in addition to the message security? Any advice on how I could accomplish this in a single service (if it's even possible)?
Thanks!
You cannot mix your protection level when you use transport security. You're going to have to use message security if this is important to you.