RIA Services using https

Support for https has been part of WCF RIA Services for a while now, but most of the early posts we did have been lost. In celebration of the V1 release, I’m resurrecting a guide on using https.

In short, you have two options using https. On one hand, you can expose your application only on https. This is the simple but less practical approach. The other approach involves exposing your application with both http and https bindings. By default all your services will be available on both http and https. With a few minor updates you can ensure specific DomainServices will only be exposed using https.

An Example

Let’s examine how to enable secure forms authentication. If you’re using forms authentication for an internet-facing application, it is strongly recommended that you use a secure connection. We’ll start by creating a DomainService for authentication.

   [EnableClientAccess]
  public class AuthenticationService : AuthenticationBase<User> { }

This generates a DomainContext on the client that calls into the service that is available on the same scheme as the application. To change this default behavior, we’ll just update the client access attribute.

   [EnableClientAccess(RequiresSecureEndpoint = true)]
  public class AuthenticationService : AuthenticationBase<User> { }

Now the AuthenticationService can only be accessed using https. The application can be loaded on either http or https but the generated DomainContext will always attempt to reach the service over https.

The Hard Part

Now for the rest of it. Hopefully you’re familiar with enabling SSL websites, but if not, the process can be confusing. We’ve now created a cross-domain scenario so you’ll have to set up a client access policy. Also, you’ll need IIS to host and test the secure endpoint. Finally you’ll need a valid (or trusted) SSL certificate. Here are some resources I found useful.

Comments

  • Anonymous
    May 26, 2010
    thanks! very well written!

  • Anonymous
    June 21, 2010
    Hi Kyle, Can I make the RequiresSecureEndpoint = true setting via configuration? At the moment, it looks like I would need to rebuild, to force HTTPS only. Thanks, Martin

  • Anonymous
    January 17, 2012
    We want to set RequiresSecureEndpoint = true using config or some other way to enable or disable based on Request.IsSecureConnection flag. I did not see any article explain this issue.

  • Anonymous
    August 21, 2012
    Good start Kyle, but what's the point if you don't finish the article and instead just point to a set of articles for the "hard part". Little surprise that you have no review comments.   :)