How to secure a Silverlight-Enabled WCF Web Service with SSL?

Question

How do you secure a Silverlight-Enabled WCF Web Service with SSL? I have tried setting it up similar to a regular WCF service secured by SSL, but it doesn't seem to work. What do you set in the Web.Config, and what do you set in the Silverlight's ServiceReferences.ClientConfig?

I noticed that in the ServiceReferences.ClientConfig file of the Silverlight client app that the "Binding" tag only allows basicHttpBinding and NOT wsHttpBinding. Does this mean that you can not secure a Silverlight-Enabled WCF Service? If so are there better approaches to securing it?

Answer 1

There are three key places that I configure to use https in my own apps.

Web.config

In the behavior tag include this line:

<serviceMetadata httpsGetEnabled="true"/>

For the MEX endpoint, make sure you use the https protocol:

<endpoint address="mex" binding="mexHttpsBinding"
          contract="IMetadataExchange" />

Create a custom binding. The important part is the transport security:

  <basicHttpBinding>
    <binding name="myServicesBinding">
      <security mode="Transport"/>
    </binding>
  </basicHttpBinding>

You can also include the usual authorization stuff:

<authorization>
  <allow users="?"/>
  <deny users="*"/>
</authorization>

Silverlight

On the Silverlight end, either point the ServiceReference at the now secure service, or set up the connections manually in code. the ServiceReferences.ClientConfig file should have the security stuff in it:

<security mode="Transport"/>

And the code version looks like this:

BasicHttpBinding b = new BasicHttpBinding(BasicHttpSecurityMode.Transport);

There are probably more complex things that can be done, but this should be good enough for most people.

Answer 2

in the ServiceReferences.ClientConfig file of the Silverlight client app that the "Binding" tag only allows basicHttpBinding and NOT wsHttpBinding. Does this mean that you can not secure a Silverlight-Enabled WCF Service?

No, it doesn't mean that. You can have a basicHttpBinding and still assign transport-level security (HTTPS with SSL) to it. That shouldn't be a problem.

Marc

PS: Many one of those links gives you more insight and the proverbial "AHA!" :-)

• http://winterdom.com/2007/11/basichttpbindingwithtransportsecurity
• http://silverlight.net/forums/p/13275/44170.aspx
• http://kevindockx.blogspot.com/2009/02/username-authentication-with.html
• http://www.pixel73.com/blog/Default.aspx?g=posts&t=4173
• http://community.irritatedvowel.com/blogs/pete_browns_blog/archive/2008/03/19/WCF-Integration-in-Silverlight-2-Beta-1.aspx
• http://geekswithblogs.net/scottthompson/archive/2009/03/25/setting-up-ssl-between-silverlight-and-wcf-under-iis7.aspx