Different Service behaviors per endpoint
- by Preben Huybrechts
The situation
We are implementing different sort of security on some WCF service.
ClientCertificate, UserName & Password and Anonymous.
We have 2 ServiceBehaviorConfigurations, one for httpBinding and one for wsHttpBinding.
(We have custom authorization policies for claim based security)
As a requirement we need different endpoints for each service.
3 endpoints with httpBinding and 1 with wsHttpBinding.
Example for one service:
basicHttpBinding : Anonymous
basicHttpBinding : UserNameAndPassword
basicHttpBinding : BasicSsl
wsHttpBinding : BasicSsl
The Problem
Part 1: We cannot specify the same service twice, once with the http service configuration and once with the wsHttp service configuration.
Part 2: We cannot specify service behaviors on an endpoint. (Throws and exception, No endpoint behavior was found... Service behaviors cant be set to endpoint behaviours)
The Config
For part 1:
<services>
<service name="Namespace.MyService" behaviorConfiguration="securityBehavior">
<endpoint address="http://server:94/MyService.svc/Anonymous" contract="Namespace.IMyService" binding="basicHttpBinding" bindingConfiguration="Anonymous">
</endpoint>
<endpoint address="http://server:94/MyService.svc/UserNameAndPassword" contract="Namespace.IMyService" binding="basicHttpBinding" bindingConfiguration="UserNameAndPassword">
</endpoint>
<endpoint address="https://server/MyService.svc/BasicSsl" contract="Namespace.IMyService" binding="basicHttpBinding" bindingConfiguration="BasicSecured">
</endpoint>
</service>
<service name="Namespace.MyService" behaviorConfiguration="wsHttpCertificateBehavior">
<endpoint address="https://server/MyService.svc/ClientCert" contract="Namespace.IMyService" binding="wsHttpBinding" bindingConfiguration="ClientCert"/>
</service>
</services>
Service Behavior configuration:
<serviceBehaviors>
<behavior name="securityBehavior">
<serviceAuthorization serviceAuthorizationManagerType="Namespace.AdamAuthorizationManager,Assembly">
<authorizationPolicies>
<add policyType="Namespace.AdamAuthorizationManager,Assembly" />
</authorizationPolicies>
</serviceAuthorization>
</behavior>
<behavior name="wsHttpCertificateBehavior">
<serviceMetadata httpGetEnabled="false" httpsGetEnabled="true"/>
<serviceAuthorization serviceAuthorizationManagerType="Namespace.AdamAuthorizationManager,Assembly">
<authorizationPolicies>
<add policyType="Namespace.AdamAuthorizationManager,Assembly" />
</authorizationPolicies>
</serviceAuthorization>
<serviceCredentials>
<clientCertificate>
<authentication certificateValidationMode="PeerOrChainTrust" revocationMode="NoCheck"/>
</clientCertificate>
<serviceCertificate findValue="CN=CertSubject"/>
</serviceCredentials>
</behavior>
How can we specify a different service behaviour on the WsHttpBinding endpoint?
Or how can we apply our authorization policy in a different way for wsHttpBinding then basicHttpBinding. We would use endpoint behavior but we can't specify our authorization policy on an endpoint behavior