RIA Services using https

  • Article

Support for https has been part of WCF RIA Services for a while now, but most of the early posts we did have been lost. In celebration of the V1 release, I’m resurrecting a guide on using https.

In short, you have two options using https. On one hand, you can expose your application only on https. This is the simple but less practical approach. The other approach involves exposing your application with both http and https bindings. By default all your services will be available on both http and https. With a few minor updates you can ensure specific DomainServices will only be exposed using https.

An Example

Let’s examine how to enable secure forms authentication. If you’re using forms authentication for an internet-facing application, it is strongly recommended that you use a secure connection. We’ll start by creating a DomainService for authentication.

   [EnableClientAccess]
  public class AuthenticationService : AuthenticationBase<User> { }

This generates a DomainContext on the client that calls into the service that is available on the same scheme as the application. To change this default behavior, we’ll just update the client access attribute.

   [EnableClientAccess(RequiresSecureEndpoint = true)]
  public class AuthenticationService : AuthenticationBase<User> { }

Now the AuthenticationService can only be accessed using https. The application can be loaded on either http or https but the generated DomainContext will always attempt to reach the service over https.

The Hard Part

Now for the rest of it. Hopefully you’re familiar with enabling SSL websites, but if not, the process can be confusing. We’ve now created a cross-domain scenario so you’ll have to set up a client access policy. Also, you’ll need IIS to host and test the secure endpoint. Finally you’ll need a valid (or trusted) SSL certificate. Here are some resources I found useful.