Parker Lewis

How can I expose a Webservice at two addresses: one with http, the other with https

I tried the following, but unfortunately I can only access the first service:

< xml version="1.0" encoding="utf-8" >
<configuration>
<system.serviceModel>
<services>
<service name="Webservice1" behaviorConfiguration="Behavior1">
<host>
<baseAddresses>
<add baseAddress="https://myhost/Webservice"/>
</baseAddresses>
</host>
<endpoint
contract="IWebservice"
binding="basicHttpBinding"
bindingConfiguration="Binding1" />
</service>
<service name="Webservice2" behaviorConfiguration="Behavior2">
<host>
<baseAddresses>
<add baseAddress="http://myhost/Webservice"/>
</baseAddresses>
</host>
<endpoint
contract="IWebservice"
binding="basicHttpBinding"
bindingConfiguration="Binding2" />
</service>
</services>
<bindings>
..........
</bindings>
<behaviors>
...............
</behaviors>
</system.serviceModel>
</configuration>

Any ideas how I could achieve exposing the same service at a http and at a https address (I registered both urls with httpcfg)

Kind regards
Thomas



Re: Windows Communication Foundation (Indigo) How to expose a Webservice at two addresses: one with http, the other with https?

Pedro Felix

Hello:

How did you configure the binding
You should configure the binding of the HTTPS service with Security.Mode = Transport and Security.Mode.Transport.ClientCredentialsType = None (if not using client side X.509 certificates)

Hope it helps
Pedro Felix




Re: Windows Communication Foundation (Indigo) How to expose a Webservice at two addresses: one with http, the other with https?

Parker Lewis

Sorry for confusing you. If I am using only one service tag it works with both ways: I can either take HTTPS or HTTP. So the binding must be correct. But if I include two service tags, only the first one works - which is (in my example) the HTTPS service.

Here is the complete configuration:

< xml version="1.0" encoding="utf-8" >
<configuration>
<system.serviceModel>
<services>
<service name="Webservice1" behaviorConfiguration="Behavior1">
<host>
<baseAddresses>
<add baseAddress="https://myhost/Webservice"/>
</baseAddresses>
</host>
<endpoint
contract="IWebservice"
binding="basicHttpBinding"
bindingConfiguration="Binding1" />
</service>
<service name="Webservice2" behaviorConfiguration="Behavior2">
<host>
<baseAddresses>
<add baseAddress="http://myhost/Webservice"/>
</baseAddresses>
</host>
<endpoint
contract="IWebservice"
binding="basicHttpBinding"
bindingConfiguration="Binding2" />
</service>
</services>
<bindings>
<basicHttpBinding>
<binding name="Binding1"
hostNameComparisonMode="StrongWildcard"
receiveTimeout="00:10:00"
sendTimeout="00:10:00"
openTimeout="00:10:00"
closeTimeout="00:10:00"
maxReceivedMessageSize="65536"
maxBufferSize="65536"
maxBufferPoolSize="524288"
transferMode="Buffered"
messageEncoding="Text"
textEncoding="utf-8"
bypassProxyOnLocal="false"
useDefaultWebProxy="true" >
<security mode="Transport">
<transport clientCredentialType="Basic" />
</security>
</binding>
<binding name="Binding2"
hostNameComparisonMode="StrongWildcard"
receiveTimeout="00:10:00"
sendTimeout="00:10:00"
openTimeout="00:10:00"
closeTimeout="00:10:00"
maxReceivedMessageSize="65536"
maxBufferSize="65536"
maxBufferPoolSize="524288"
transferMode="Buffered"
messageEncoding="Text"
textEncoding="utf-8"
bypassProxyOnLocal="false"
useDefaultWebProxy="true" >
<security mode="TransportCredentialOnly">
<transport clientCredentialType="Basic" />
</security>
</binding>
</basicHttpBinding>
</bindings>
<behaviors>
<serviceBehaviors>
<behavior name="Behavior1">
<serviceMetadata httpsGetEnabled="true"/>
</behavior>
<behavior name="Behavior2">
<serviceMetadata httpGetEnabled="true"/>
</behavior>
</serviceBehaviors>
</behaviors>
</system.serviceModel>
</configuration>

Any ideas





Re: Windows Communication Foundation (Indigo) How to expose a Webservice at two addresses: one with http, the other with https?

Michael Green - MSFT

Hi Parker,

You will need to create two virtual directories, one for HTTPS and one for HTTP. In order to use HTTPS you need to use IIS to host your service. When you configure the virtual directory to use SSL, all requests to that virtual directory must be made via HTTPS, there is no way to specify some requests should require HTTPS and others not. May I ask why you want to expose your service through HTTPS and HTTP Perhaps there is another way to get the functionality you are looking for.

Thanks,

Michael Green [MSFT]





Re: Windows Communication Foundation (Indigo) How to expose a Webservice at two addresses: one with http, the other with https?

Parker Lewis

Hi Michael

I am hosting my wcf webservice within a windows service, not within IIS - thus creating two virtual directories is not an option.

I am trying to expose my service through HTTPS and HTTP only during development. The consumer of the webservice needs to test the webservice call through HTTPS, thus he can catch exceptions which occur when the certificate is not valid etc. On the other side, he needs to sniff the network traffic, when a C# test application calls the webservice (-> http). This way he can analyze, what a call to the webservice looks like and replicate it from within an oracle db where he has to manually construct this call.

Thanks and best wishes.





Re: Windows Communication Foundation (Indigo) How to expose a Webservice at two addresses: one with http, the other with https?

David Kreutz - MSFT

Actually you don't need to use IIS to host the service. If you are not going to use IIS, however, you'll need to set up your certficiate for SSL, you can find information on that process here:

http://msdn2.microsoft.com/en-us/library/ms733768.aspx

The other thing i noticed is that you are attempting to host both endpoints at the same port number (80 by default). You'll need to specify a port for one or both endpoints different from the default. Simply append a colon plus the port number after the host name in your endpoint address (ex. http://contoso.com:825/service). The standard port for HTTPS is 443 but you may want to choose another to avoid conflicts with other apps, something in the higher range is always better, like 8448.


Let me know if you have any more questions.

David






Re: Windows Communication Foundation (Indigo) How to expose a Webservice at two addresses: one with http, the other with https?

Michael Green - MSFT

Parker,

I apologize for the mis-information. As David pointed out in his post you can use HTTPS without hosting the service under IIS. With that information, I took the TransportSecurity sample, made it self-hosted, followed the directions from the article David pointed out to bind an SSL certificate to a port and verified that it worked. I then added another endpoint that used the http scheme. Here are my config files:

Service side:

< xml version="1.0" encoding="utf-8" >

<configuration>

<system.serviceModel>

<services>

<service

name="Microsoft.ServiceModel.Samples.CalculatorService"

behaviorConfiguration="CalculatorServiceBehavior">

<host>

<baseAddresses>

<add baseAddress="http://localhost:8000/ServiceModelSamples/service"/>

</baseAddresses>

</host>

<endpoint address=""

binding="basicHttpBinding"

bindingConfiguration="NotSecure"

contract="Microsoft.ServiceModel.Samples.ICalculator" />

<endpoint address="https://localhost:8001/ServiceModelSamples/service"

binding="basicHttpBinding"

bindingConfiguration="Secure"

contract="Microsoft.ServiceModel.Samples.ICalculator" />

<endpoint address="mex"

binding="mexHttpBinding"

contract="IMetadataExchange" />

</service>

</services>

<bindings>

<basicHttpBinding>

<binding name="Secure">

<security mode="Transport">

<transport clientCredentialType="None"/>

</security>

</binding>

<binding name="NotSecure">

<security mode="None" />

</binding>

</basicHttpBinding>

</bindings>

<!--For debugging purposes set the includeExceptionDetailInFaults attribute to true-->

<behaviors>

<serviceBehaviors>

<behavior name="CalculatorServiceBehavior">

<serviceMetadata httpGetEnabled="True"/>

<serviceDebug includeExceptionDetailInFaults="False" />

</behavior>

</serviceBehaviors>

</behaviors>

</system.serviceModel>

</configuration>

Client side:

< xml version="1.0" encoding="utf-8" >

<configuration>

<system.serviceModel>

<bindings>

<basicHttpBinding>

<binding name="BasicHttpBinding_NotSecure" >

<security mode="None">

<transport clientCredentialType="None"/>

</security>

</binding>

<binding name="BasicHttpBinding_Secure" >

<security mode="Transport">

<transport clientCredentialType="None" />

</security>

</binding>

</basicHttpBinding>

</bindings>

<client>

<endpoint address="http://localhost:8000/ServiceModelSamples/service"

binding="basicHttpBinding" bindingConfiguration="BasicHttpBinding_NotSecure"

contract="ICalculator" name="BasicHttpBinding_NotSecure" />

<endpoint address="https://localhost:8001/ServiceModelSamples/service"

binding="basicHttpBinding" bindingConfiguration="BasicHttpBinding_Secure"

contract="ICalculator" name="BasicHttpBinding_Secure" />

</client>

</system.serviceModel>

</configuration>

Notice both have two different binding configurations, one https (secure) and one for http (not secure). Also notice that each URI uses it's own port number. Please take a look at these and let me know if you have any further questions. I can zip up my project and post it too if someone would like.

Thanks,

Michael Green [MSFT]





Re: Windows Communication Foundation (Indigo) How to expose a Webservice at two addresses: one with http, the other with https?

Parker Lewis

Hi David

Thanks for your answer. Actually I was not using the same port number. One address started with http (default port 80) and the other one started with https (default port 443, which is okay for my scenario because I have no webserver running which would block the 443 port or something). Using only the HTTPS endpoint worked and using only the HTTP endpoint worked too. Thus I don't have problems with the certificate. It just didn't work together. As you can see, I tried to use two <service> tags in order to enable both - httpGetEnabled and httpsGetEnabled. Maybe this is not possible.

Best wishes





Re: Windows Communication Foundation (Indigo) How to expose a Webservice at two addresses: one with http, the other with https?

Parker Lewis

Hello Michael

Thanks a lot for your answer. Originally I tried the same as you described above but it didn't work. Now I tried again and it worked. I think I also found out what I've done wrong before:

If you specify a HTTP base address you have to use the httpGetEnabled attribute within the behavior section - the httpsGetEnabled attribute does not work in this case. On the other hand if your base address starts with HTTPS, you can only use the httpsGetEnabled attribute - otherwise an error occurs.

I wonder if it's possible to expose the WSDL for both protocols To achieve this, I tried to use two different <service> tags (see my first post). But this does not work.

Thanks a lot





Re: Windows Communication Foundation (Indigo) How to expose a Webservice at two addresses: one with http, the other with https?

Michael Green - MSFT

Parker,

It is possible, I am hammering out the details and will get back to you ASAP.

Thanks,

Michael Green





Re: Windows Communication Foundation (Indigo) How to expose a Webservice at two addresses: one with http, the other with https?

Parker Lewis

Hello Michael

Ok, I'm very curious... looking forward to it.

Best wishes





Re: Windows Communication Foundation (Indigo) How to expose a Webservice at two addresses: one with http, the other with https?

Parker Lewis

Already any progress on this

Kind regards





Re: Windows Communication Foundation (Indigo) How to expose a Webservice at two addresses: one with http, the other with https?

Michael Green - MSFT

Parker,

I am very sorry I wasn't able to get back to you sooner. I was put on another project and haven't had time to look into this further. I was able to get some time this week and I have been able to get this to work. The problem I was running into was the URI that you send to svcutil to read the metadata must match the "Issued To" field of the certificate *exactly*. You can open the MMC certificate snap-in and navigate to your certificate to see the "Issued To" field. Also you must use a fully trusted certificate (a test certificate generated from makecert is not enough).

So here is my config:

< xml version="1.0" encoding="utf-8" >

<configuration>

<system.serviceModel>

<services>

<service

name="Microsoft.ServiceModel.Samples.CalculatorService"

behaviorConfiguration="CalculatorServiceBehavior">

<host>

<baseAddresses>

<add baseAddress="https://MichaelGreen.microsoft.com:8001/ServiceModelSamples/service"/>

<add baseAddress="http://localhost:8000/ServiceModelSamples/service"/>

</baseAddresses>

</host>

<endpoint address=""

binding="wsHttpBinding"

bindingConfiguration="Secure"

contract="Microsoft.ServiceModel.Samples.ICalculator" />

</service>

</services>

<bindings>

<wsHttpBinding>

<binding name="Secure">

<security mode="Transport">

<transport clientCredentialType="None"/>

</security>

</binding>

<binding name="NotSecure">

<security mode="None">

<transport clientCredentialType="None"/>

</security>

</binding>

</wsHttpBinding>

</bindings>

<behaviors>

<serviceBehaviors>

<behavior name="CalculatorServiceBehavior">

<serviceMetadata httpsGetEnabled="True" />

</behavior>

</serviceBehaviors>

</behaviors>

</system.serviceModel>

</configuration>

Notice that I have specified two base addresses, one for HTTPS bound to port 8001 and the other for HTTP on port 8000. When I run svcutil on the secure MEX endpoint I need to type the fully qualified URL: https://MichaelGreen.microsoft.com:8001/ServiceModelSamples/service. Again I'm really sorry for taking so long to get back to you, I hope this is helpful.

Michael Green [MSFT]





Re: Windows Communication Foundation (Indigo) How to expose a Webservice at two addresses: one with http, the other with https?

Parker Lewis

Hello Michael

Please don't apologize - rather I am deeply grateful you got back to this issue!

Your sample looks very interesting. Specifying two base addresses... I haven't hit on that. My unsuccessful approach was declaring more than one service tag. But I still have a few questions left:

You are using only one endpoint with the binding configuration "secure". To which base address does this endpoint belong To both or only to the first one (https) How can you associate the "nonsecure" binding to the second base address (http) only

Regarding the fully trusted certificate: wouldn't it be nice if svcutil.exe would include some parameters which allow to ignore certificate errors like "not trusted", "wrong issuedto" etc The same should be possible when adding a service reference in Visual Studio as well.

Best wishes