Geek Answers Handbook

What is the simplest WCF / SOAP configuration?

We have a WCF service and I use wsHttpBinding with transport security and user authentication.

I recently discovered that secure sessions are enabled by default (see this SO question ).

I am surprised that such a feature is enabled by default. I thought that by default I would get the simplest configuration and that additional functions would be based on choice.

I want to start with the simplest possible set of functions, and then decide on the choice of additional functions.

So my question is: what are the other features that are enabled by default and how to disable them?

+4
source share
3 answers

It depends :-) as usual.

Do you want to have an external service that users can call from outside your network? If so, use either basicHttpBinding , which is basically the same as the old ASMX web services (SOAP 1.1, really basic, hardly any security and no reliability features). Or use wsHttpBinding (SOAP 1.2, WS- * stuff) from the start, but disable all features first.

BasicHttpBinding does not have much to β€œenable” later β€” you are stuck and need to, for example, switch to wsHttpBinding or create your own custom binding in addition to these basic functions. wsHttpBinding is pretty heavy, but most of the features like security, reliability, etc., can be disabled or re-enabled. BUT: not every client application can connect to wsHttpBinding endpoints.

OR: use multiple endpoints! One very simple one that uses basicHttp for "old" clients, another advanced with wsHttpBinding is the beauty of the WCF service - you write the service code once and expose it to gazillion different endpoints, since your clients need them!

If you are internal, inside the company’s firewall the choice is simple - use netTcpBinding - it is fast (because it uses binary instead of text encoding) and has many features that can be configured.

UPDATE: since this is an external service and all kinds of clients can connect, I would use basicHttpBinding with username / password security:

  <system.serviceModel> <bindings> <wsHttpBinding> <binding name="wsMsgSec"> <security mode="Message"> <message clientCredentialType="None" establishSecurityContext="false" negotiateServiceCredential="false"/> </security> <reliableSession enabled="false"/> </binding> </wsHttpBinding> </bindings> <services> <service name="YourService"> <endpoint address="" binding="wsHttpBinding" bindingConfiguration="wsMsgSec" contract="IYourServiceContract" /> </service> </services> </system.serviceModel>

For "clientCredentialType" in the message security tag, you can also use "UserName" - in this case you will need to configure some infrastructure (for example, the ASP.NET membership provider system) to check the incoming user / password credentials.

Also, be sure to check out the WCF Security Guide , which has step-by-step explanations for many different security scenarios and for each in the web.config file and your WCF configuration.

+5
source

wsHttpBinding is a very complex binding created for multilayer WS- * goo on top. BasicHttpBinding might be better for starters - just a simple SOAP over HTTP sound is more like what you need. This is very interoperable, but you can still incorporate a lot of WS- * behavior later.

+1
source

A list of all possible wsHttpBinding attributes is available β€” you can go through them and decide which ones you want to explicitly specify based on your endpoint requirements.

0
source

More articles:


All Articles