WCF Service Configuration Strange Behavior - The request message must be protected

I'm on .NET 4.0, I have a 开发者_如何转开发wcf service which implements two contracts, one with protection level and one with no protection. Both specify in the Action and in the ReplyAction the "*" value.

Now, if I configure this service inside a Web Site project everything works, but if I configure the same service inside a Web Application project, if I try to see the service page in the browser for the default endpoint, I receive the error "The request message must be protected, This is required by an operation of the contract ('IContractSigned','http://myservice/contracts'). The protection must be provided by the binding ('BasicHttpBinding','http://tempuri.org/'). "

Both the Web Site project and the Web Application project has the same web.config.

Now I'm trying to investingate, but it's impossible to find an easy solution or discussion. Any idea? Why the project type influence in this way the correctness of the config? Thanks in advance

The EncryptAndSign protection level for service contracts requires that the binding provides some way of enrypting and singing, i.e. the binding must be secure.

Perhaps your service uses transport level security, relying on IIS to secure the channel with one of its server certificates? The difference between web site deployment and web app deployment may be IIS' ability to secure the channel using a server certificate.

If you use message mode security, your service must declare which certificate to use and it should not make any difference how the service is deployed.

I was struggling with same exception and found this:

When there is no protection level explicitly specified on the contract and the underlying binding supports security (whether at the transport or message level), the effective protection level for the whole contract is ProtectionLevel.EncryptAndSign. If the binding does not support security (such as BasicHttpBinding), the effective System.Net.Security.ProtectionLevel is ProtectionLevel.None for the whole contract. The result is that depending upon the endpoint binding, clients can require different message or transport level security protection even when the contract specifies ProtectionLevel.None.

So, if you don't specify ProtectionLevel in ServiceContract attribute, WCF will define ProtectionLevel based on your web.config. If you're using for example Ws2007 and BasicHttpBinding, BasicHttpBinding will fail with your exception. Then you have 3 options:

1. Remove all secured bindings for your contract and leave just BasicHttpBinding.

2. Set protection level on contract that is exposed through BasicHttpBinding as this:

   [ServiceContract(ProtectionLevel = ProtectionLevel.None)]

3. Provide some security for BasicHttpBinding.