1

I'm somewhat new to WCF. I've created a service and it works. The service receives some requested keys in an XML string, and returns an XML result set.

Here is my general question, and then I'll give some specifics. If someone creates a RESTful service in WCF using wsHttpBinding, does anyone consuming the service from the outside need to provide username/PW credentials?

OK, the details. On the server side, here's the core config:

<services>
    <service behaviorConfiguration="MyService1Behavior"  name="MyRestService">
        <endpoint 
            address="http://(address)/myweb/myrestservice.svc"  
            binding="wsHttpBinding"  
            contract="IMyRestService">
          <identity> <dns value="numeric address" />  </identity> 
        </endpoint>
        <endpoint address="mex" binding="mexHttpBinding" contract="IMetadataExchange" />
    </service>
</services>

and the service application interface:

[ServiceContract]
public interface IMyRestService
{
    [OperationContract]
    [WebInvoke(Method = "GET",
     ResponseFormat = WebMessageFormat.Xml,
     BodyStyle = WebMessageBodyStyle.Wrapped,
     UriTemplate = "OrderLookup/{LookupData}")]
    string OrderLookup(string LookupData);
}

Like I said this all works when I consume it from a system completely outside the domain.

But I have to provide credentials, like the following:

MyClientService.ClientCredentials.Windows.ClientCredential.Domain = "remoteserver";
MyClientService.ClientCredentials.Windows.ClientCredential.UserName = "UserID";
MyClientService.ClientCredentials.Windows.ClientCredential.Password = "Password";

I'm a bit concerned that someone trying to consume the service with a non-.NET client won't want to have to provide credentials. So - if I've created a RESTful service using WCF and hosting it on IIS....will someone accessing the service externally need to provide credentials, or is there a way I can safely come up with a different solution?

Again, I realize I've got gaps in my knowledge - just looking to fill them.

Thanks in advance for any suggestions....

tom redfern
  • 30,562
  • 14
  • 91
  • 126
Scott
  • 11
  • 1
  • 1
    `wsHttpBinding` is *not* a RESTful binding - it's **SOAP**. The only binding that makes this service a REST service is `webHttpBinding` – marc_s Sep 07 '14 at 20:17

1 Answers1

0

As Marc states in his comment, arguably what you have implemented is not really a RESTful service but rather a kind of POX service over SOAP 1.2.

However, because you're using wsHttpBinding you can be confident that any traffic between the service and a consumer will be restricted by the standard security settings for this binding stack, which in turn implement the WS-Security soap extension.

This actually means that not only will non-.net consumers be secured, they'll probably also struggle to consume this endpoint as the default setup for wsHttpBinding is not very open for interoperability (for example, by default it uses windows authentication, as you have found above).

If you need to support non .net clients then use basicHttpBinding which uses SOAP 1.1. You can still secure these endpoints by using SSL and username/password or certificates if that is your requirement.

Community
  • 1
  • 1
tom redfern
  • 30,562
  • 14
  • 91
  • 126