zt:Consuming Webservices over HTTPS (SSL)

转载 2004年07月09日 13:58:00

When Webservices are used, a common concern is security: SOAP messages are transferred in plain text over the network, so anyone with a sniffer could intercept the SOAP message and read it. In my opinion this could happen also to binary data, but probably it requires a little bit more hacker skills. So a solution is to use HTTPS (SSL) instead of HTTP, so the communication is encrypted. To accomplish this, you need to get and install a certificate (issued by a Certificate Authority) on your webserver. In a production environment you would buy a certificate from Verisign or another well known CA, or you would install your own CA, which is a component of Windows Server. If you only want to play with HTTPS, SSL and certificates or your project is in the development phase, you can also generate a test certificate using the MakeCert.exe tool (included in the .NET Framework SDK). After that you have to add this certificate to a website in IIS, and set a port which HTTPS should use.

When you browse to a HTTPS site, you probably get a dialog window asking you if you want to trust the certificate provided by the webserver. So the responsibility of accepting the certificate is handled by the user. Let's get back to the webservice scenario, if you want to invoke a webservice located on a webserver which uses SSL and HTTPS there is a problem. When you make the call from code, there is no dialog window popping up, and asking if you trust the certificate (luckily because this would be pretty ugly in server-side scenarios); probably you'll get following exception:
An unhandled exception of type 'System.Net.WebException' occurred in system.dll

Additional information: The underlying connection was closed: Could not establish trust relationship with remote server.

But there is a solution for this problem, you can solve this in your code by creating your own CertificatePolicy class (which implements the ICertificatePolicy interface). In this class you will have to write your own CheckValidationResult function that has to return true or false, like you would press yes or no in the dialog window. For development purposes I've created the following class which accepts all certificates, so you won't get the nasty WebException anymore:
public class TrustAllCertificatePolicy : System.Net.ICertificatePolicy
 public TrustAllCertificatePolicy()

 public bool CheckValidationResult(ServicePoint sp,
  X509Certificate cert,WebRequest req, int problem)
  return true;

As you can see the CheckValidationResult function always returns true, so all certificates will be trusted. If you want to make this class a little bit more secure, you can add additional checks using the X509Certificate parameter for example. To use this CertificatePolicy, you'll have to tell the ServicePointManager to use it:
System.Net.ServicePointManager.CertificatePolicy = new TrustAllCertificatePolicy();
This must be done (one time during the application life cycle) before making the call to your webservice.

IPSec over HTTPS

  • iiprogram
  • iiprogram
  • 2008年04月06日 10:11
  • 1508

Consuming P6 Web Services over HTTPS (SSL) From Java

Note: This example assumes that the P6 Web Services Server has been configured to use UsernameToken ...
  • zerojunyan
  • zerojunyan
  • 2013年04月22日 13:13
  • 444

008-httpd_http over ssl(https)

008-httpd_http over ssl(https) 008-httpd_http over sslhttps https http over ssl 图解 配置httpd支持https 测...
  • u010796631
  • u010796631
  • 2016年01月16日 22:42
  • 684


  • xman_2009
  • xman_2009
  • 2010年02月24日 14:08
  • 2915

错误:Mixed Content: The page at ‘https://XXX’ was loaded over HTTPS, but requested an insecure........

  • qq_27114677
  • qq_27114677
  • 2017年09月05日 10:06
  • 1743

Mixed Content: The page was loaded over HTTPS,blocked the content must be served over HTTPS.

今天遇到一个问题: Mixed Content: The page at   was loaded over HTTPS, but requested an insecure XMLHttp...
  • u012996583
  • u012996583
  • 2017年08月08日 16:00
  • 1164


百度地图怎么样才能支持API支持HTTPS 报错信息如下: Mixed Content: The page at ‘https://www.c*******8.com/public...
  • weixin_38023551
  • weixin_38023551
  • 2017年07月26日 16:47
  • 8908

Webservice 通过SSL加密传输

自签名证书的WEB服务安全应用 2008-07-01 11:20     Java编程语言的一个杰出之处就在于开源社区可以以较低的成本或者甚至是免费地提供优秀的应用程序。其中一...
  • baidu_18607183
  • baidu_18607183
  • 2016年09月27日 16:40
  • 620


Mix Content:The page at 'https://www.abc.com...' was loaded over HTTPS, but requested an insecure fo...
  • bhzln
  • bhzln
  • 2017年02月22日 16:35
  • 1779

如何配置LDAP over SSL

今天碰到一个关于IIS不能访问域服务器的问题。经过调查,发现是域控制器上的证书出了问题。网络环境:IIS服务器:IIS 6.0Windows Server 2003 SP2域控制器:Windows S...
  • nailding2
  • nailding2
  • 2010年07月21日 22:47
  • 1264
您举报文章:zt:Consuming Webservices over HTTPS (SSL)