Using HTTP POST on URIs

I have a RESTful WCF service that has an upload method accepting more than one parameters. It does this by making all parameters besides the Stream part of the URI. This is what the method looks like in the contract:

[OperationContract, WebInvoke(UriTemplate = "UploadFile?username={username}&password={password}&filename={filen开发者_开发百科ame}")]
bool UploadFile(string username, string password, string filename, Stream fileContents);

I haven't tested this method yet, but assuming that it does work, there's a major issue with it: the password would be visible in the address bar. How do I hide those parameters while keeping them part of the UriTemplate? I need them as part of the URI since that's what allows me to use additional parameters with the Stream.

This is what I tried doing:

[OperationContract, WebInvoke(Method = "POST", UriTemplate = "UploadFile?username={username}&password={password}&filename={filename}")]
bool UploadFile(string username, string password, string filename, Stream fileContents);

This is just a wild guess, and I'm not even sure if it makes any sense. The WCF service starts up just fine, but I haven't tested it yet. It is possible to use HTTP POST on URIs in this way?

POST or GET, it doesn't matter, the parameters would still show up in the URL and you definitely don't want that. WCF does not come with support for form posting out of the box, but if you change your method to take just a Stream, you will receive the entire POSTed body in whatever format it was in in raw bytes which you can then parse yourself.

Since you'd be uploading both form data (application/x-Www-form-urlencoded) and file data, that means the POST would actually be multi-part MIME (multipart/form-data). Assuming single file upload only, you would simply need to read the front of the Stream until the first boundary to get the form data which you can easily split and URL decode the values for. Then skip the boundary and the the rest of the Stream would be the file data until the closing boundary.

The URI will always be public unless you send it through HTTPS.

You could encrypt the password on the client side before calling the WCF service and decrypt the string afterwards, but I predict that may not be ideal.

Usually people would send this up in the body of the HTTP POST request so it is not visible in the parameter list.