20 October 2008

Turning off WCF security

Unlike ye goode ole ASMX web services, WCF comes by default with security enabled. That's a good thing: Microsoft now believes in security being integral part of the solution, so in stead of slapping it on later, it is turned on by default. This is fine of course in distributed production environments but may be a real PITA while testing or deploying in a simple point-to-point enviroment, especially when machines are not in the same domain. Fortunately, turning all these gizmos off is quite easy. The catch is that settings on server and client must exactly match You host the service like this (provided it is hosted in IIS)
<system.serviceModel>
  <services>
    <service name="MyService">
      <endpoint contract="IMyService" binding="wsHttpBinding" bindingConfiguration="wsHttpBindingConfiguration"/>
    </service>
  </services>
  <bindings>
    <wsHttpBinding>
      <binding name="wsHttpBindingConfiguration">
       <security mode="None">
          <message clientCredentialType="None"/>
          <transport clientCredentialType="None"/>
        </security>
      </binding>
    </wsHttpBinding>
  </bindings>
</system.serviceModel>
and you configure the client like this
<system.serviceModel>
  <client>
    <endpoint name="MyDataPortal"
              address="http://someserver:2000/MyRoot/MyService.svc"
              binding="wsHttpBinding"
              contract="IMyService"
              bindingConfiguration="MyBinding"/>
  </client>

  <bindings>
    <wsHttpBinding>
      <binding name="MyBinding">
        <security mode="None">
          <message clientCredentialType="None"/>
          <transport clientCredentialType="None"/>
        </security>
      </binding>
    </wsHttpBinding>
  </bindings>
</system.serviceModel>
I emphasized the important parts. Be advised: these settings should only be used in either development environments or enviroments that are inherently safe by themselves, i.e. closed networks.