Disabling WCF security

I recently faced an issue from one of our vendors trying to access our web services with their Java clients. They were able to download the WSDL file but got some security errors when calling our web methods. I had tested my web services with my own test clients developed in .NET and they seemed to be working absolutely fine. I decided to investigate this issue and here is what I found:

Whenever you create a new Windows Communication Foundation (WCF) service in Visual Studio.NET 2008, it automatically creates service entries in your application’s configuration file with the default end point binding of wsHttpBinding. I created my sample CustomerService as a WCF service:

<service behaviorConfiguration="WebServiceApp.CustomerServiceBehavior"

    name="WebServiceApp.CustomerService">

    <endpoint address="" binding="wsHttpBinding" contract="WebServiceApp.ICustomerService">

     <identity>

      <dns value="localhost" />

     </identity>

    </endpoint>

   <endpoint address="mex" binding="mexHttpBinding" contract="IMetadataExchange" />

</service>

As you can see the end point binding done is of WSHttpBinding. It uses HTTP transport and by default provides message security along with support for transactions, reliable messaging and WS-Addressing. However the issue is that the default Security mode for WSHttpBinding is Message. The WSHttpSecurity.Message property has its own default behavior of:

• EstablishSecurityContext property set to true
• ClientCredentialType set to Windows
• AlgorithmSuite set to Basic256
• NegotiateServiceCredential set to true

I ran Fiddler tool to observe the message exchanges between my .NET test clients and WCF web services. It turned out that the test clients had to call my web service three times (negotiating service credentials, passing the encrypted data and security tokens).

Hence for a proper web service calling to take place the Java clients then should implement this functionality of Message security as required by the WSHttpBinding. After discussions with the vendor it was decided that since the communication takes place over a secure network and the web services being called are not exchanging user credentials (passwords or credit card numbers), I might as well remove the Message security from my web services.

Here is how you can remove disable security:

Removing Message Security by using BasicHttpBinding

Use BasicHttpBinding as the binding for your web service:

<service behaviorConfiguration="WebServiceApp.CustomerServiceBehavior"

         name="WebServiceApp.CustomerService">

  <endpoint address="" binding="basicHttpBinding" contract="WebServiceApp.ICustomerService" />

</service>

For BasicHttpBinding, security is turned off by default.

Removing Message Security from WSHttpBinding

If you want to disable security but at the same time use the WS-Addressing features of WSHttpBinding create a binding entry under bindings->wsHttpBinding and specify Security mode a “None” in your config file:

<bindings>

   <wsHttpBinding>

      <binding name="NoSecurityBinding">

         <security mode="None">

            <transport clientCredentialType="None" />

            <message establishSecurityContext="false" />

         </security>

      </binding>

   </wsHttpBinding>

</bindings>

Then tell your service to use this binding in bindingConfiguration of the end point:

<service behaviorConfiguration="WebServiceApp.CustomerServiceBehavior"

         name="WebServiceApp.CustomerService">

  <endpoint address="" binding="wsHttpBinding" bindingConfiguration="NoSecurityBinding"

            contract="WebServiceApp.ICustomerService" />

</service>