I've used this example project as a starting point, but modified it to use HTTPS and TransportWithMessageCredential.
I'm running the server through IIS Express with SSL Enabled and the project is functioning.
The thing I am a bit unsure about is the SSL certificate, as I have to set the client to accept all certificates for it to work.
Server config:
<?xml version="1.0"?>
<configuration>
<system.web>
<compilation debug="true" targetFramework="4.5" />
<httpRuntime targetFramework="4.5" />
</system.web>
<system.serviceModel>
<behaviors>
<serviceBehaviors>
<behavior name="Behavior1">
<serviceMetadata httpGetEnabled="true" httpsGetEnabled="true" />
<serviceDebug includeExceptionDetailInFaults="false" />
<serviceCredentials>
<serviceCertificate findValue="MyWebSite"
storeLocation="LocalMachine"
storeName="My"
x509FindType="FindBySubjectName" />
<userNameAuthentication userNamePasswordValidationMode="Custom" customUserNamePasswordValidatorType="Service.UserNamePassValidator, Service" />
</serviceCredentials>
</behavior>
</serviceBehaviors>
</behaviors>
<bindings>
<wsHttpBinding>
<binding name="Binding1">
<security mode="TransportWithMessageCredential">
<transport clientCredentialType="Certificate" />
<message clientCredentialType="UserName"/>
</security>
</binding>
</wsHttpBinding>
</bindings>
<services>
<service behaviorConfiguration="Behavior1" name="Service.Service">
<endpoint address="" binding="wsHttpBinding" bindingConfiguration="Binding1" contract="Service.IService" />
<endpoint address="mex" binding="mexHttpBinding" contract="IMetadataExchange" />
<host>
<baseAddresses>
<add baseAddress="https://localhost/" />
</baseAddresses>
</host>
</service>
</services>
</system.serviceModel>
</configuration>
Client config:
<?xml version="1.0" encoding="utf-8" ?>
<configuration>
<system.serviceModel>
<bindings>
<wsHttpBinding>
<binding name="WSHttpBinding_IService">
<security mode="TransportWithMessageCredential">
<message clientCredentialType="UserName" />
</security>
</binding>
</wsHttpBinding>
</bindings>
<client>
<endpoint address="https://localhost:44303/UsernamePasswordService.svc"
binding="wsHttpBinding" bindingConfiguration="WSHttpBinding_IService"
contract="ServiceReference1.IService" name="WSHttpBinding_IService" />
</client>
</system.serviceModel>
</configuration>
Client code:
private void button1_Click(object sender, EventArgs e)
{
string time = "";
var c = new ServiceClient();
c.ClientCredentials.UserName.UserName = txtUser.Text;
c.ClientCredentials.UserName.Password = txtPassword.Text;
c.ClientCredentials.ServiceCertificate.Authentication.CertificateValidationMode = X509CertificateValidationMode.None;
ServicePointManager.ServerCertificateValidationCallback += RemoteCertificateValidate;
try
{
time = c.GetServertime();
MessageBox.Show(time, "You are authenticated");
}
catch (Exception ex)
{
if (ex.InnerException != null)
MessageBox.Show(ex.InnerException.Message, "Incorrect username/password");
else
MessageBox.Show(ex.Message, "Unhandled exception");
}
}
private static bool RemoteCertificateValidate(object sender, X509Certificate cert, X509Chain chain, SslPolicyErrors error)
{
// trust any certificate
return true;
}
As you can see from the client code all certificates are trusted in RemoteCertificateValidate(). I found that as an example for working around self-signed certificates when developing.
I dont quite understand why setting
CertificateValidationMode = X509CertificateValidationMode.None;
isnt giving the same effect. Shouldnt this set client to not validate the certificate?
As I am still quite new to understanding how SSL certificates are distributed, the thing I'm a bit unsure about is how this will work when we get a valid SSL certificate. Will the certificate have to be installed on all the clients?
I also tried logging the traffic from the client to the server, and noticed the following in one of the messages sent:
<o:Username>
<!-- Removed-->
</o:Username>
<o:Password>
<!-- Removed-->
</o:Password>
does this mean that the username and password is being sent in clear text?