Apr 15 2008

Lying to WCF

Category: IT Related | .NetRory Primrose @ 15:16

There are cases when you need to transmit username/password credentials to WCF without transport security. The times that you should do this are rare because of the obvious security implications of sending credentials over the wire without encryption. One case where this is required is where hardware acceleration is used in a load balancer. The traffic between the load balancer and the client is encrypted, but the traffic between the load balancer and the service host is not. The issue here is that the service still needs the credentials passed to the load balancer from the client.

Drew Marsh has a great write up about how to lie to WCF about the security of the binding that it is using for a service. Nicholas Allen has also posted on the topic here and here.

Tags: ,

Comments (2) -

1.
Dave Dave says:
Tuesday, April 15, 2008 at 8:04 AM

Nice find. However, at the very end of Drew's post, he indicates that this solution does not support WSDL auto generation.

2.
Rory Primrose Rory Primrose Australia says:
Tuesday, November 18, 2008 at 9:33 PM

There is another valid reason that I have come across. I am writing unit tests for my username password solution (www.neovolve.com/.../...-password-of-the-user.aspx) and want to avoid the requirement to set up ssl for the machine running the tests.

Add comment

  Country flag

biuquote
  • Comment
  • Preview
Loading