Technology Corner

Home » DotNet » Something about Security in WCF- I

Something about Security in WCF- I

Enter your email address to follow this blog and receive notifications of new posts by email.

Join 80 other followers

Twitter updates

Error: Twitter did not respond. Please wait a few minutes and refresh this page.

Archives

RSS InfoQ Feeds

  • How Google Develops New Managers
    Alex Langshur, host of Google Partners Podcasts, has organized the podcast Google HR secrets: identifying & developing great managers, interviewing Sarah Calderon, People Development at Google, on how Google selects, trains, and develops their managers. By Abel Avram
  • Presentation: Cognitive Services, Next Step in Creating Our Robot Overlords
    Harold Pulcher discusses Cognitive Services, how to get started using them, and how to incorporate speech, image, and facial recognition into an application. By Harold Pulcher
  • Presentation: Control Flow Integrity Using Hardware Counters
    Jamie Butler and Cody Pierce discuss a new system for early detection and prevention of unknown exploits. Their system uses Performance Monitoring Unit hardware to enforce coarse-grained Control Flow Integrity (CFI). They intend to prove that their approach is effective and suitable for practical use, while staying resistant to bypass. By Jamie Butler
  • JetBrains Launches GoLand Go IDE
    JetBrains has moved its Go IDE from its early access programme to market. Now branded as GoLand, the IDE extends the IntelliJ platform making its core functionality specific to Go. This follows suit with their other language-specific tools such as PyCharm for Python and RubyMine for Ruby. By Andrew Morgan
  • Panel on the Future of AI
    An SF QCon panel on the future of AI explored some issues facing machine learning today. The areas explored: critical issues facing AI right now, how has technology changed the way people are hired, how non-leading edge companies make the best use of current technologies, what the role of humans in relation to AI is, and exciting new breakthroughs on the imm […]
  • Microsoft Updates Cosmos DB with Cassandra Support and Provides Better Availability Guarantees
    Last month at Microsoft Connect 2017, Azure Cosmos DB received several new updates, including support for using the Cassandra NoSQL database API and increased guarantees for availability. With the Cassandra NoSQL database API, customers can run operations inside Cosmos DB on a data model. The availability guarantee moves from 99.99 percent to 99.999 percent. […]
  • Article: Approximate Computing on WSO2: Explaining Approximation Algorithms in an Applied Setting
    In this article, we describe an example real world application of API monitoring which gets benefit by using approximate stream processing. We developed the application on top of WSO2 Stream Processor as Siddhi extension. Siddhi is the complex event processing library which acts as the event processing engine of WSO2 Stream Processor. By Chamod Samarajeewa
  • Rust in Visual Studio and VS Code
    Daniel Griffen has released a preview version of a Rust language service for Visual Studio. This plugin requires Visual Studio 2017 Preview, an experimental release stream for testing new VS features. By Jonathan Allen
  • Article: Key Takeaway Points and Lessons Learned from QCon San Francisco 2017
    The eleventh annual QCon San Francisco was the biggest yet, bringing together over 1,800 team leads, architects, project managers, and engineering directors. By Abel Avram
  • Article: Q&A With Eberhard Wolff On the Book “A Practical Guide to Continuous Delivery”
    Eberhard Wolff speaks with InfoQ about his work "Continuous Delivery: A Practical Guide", where we detail some of the major concepts behind successful CD adoption and the ripple-effect it can have on developer productivity and quality of service. By Dylan Raithel

Authentication and authorization are key aspects for secure communication between client and server. The service needs to authenticate its callers and correspondingly allow to use allowed operations. Service level authentication is not only thing for secure communication, messages should also be secure so that no tampering can happen. WCF supports variety of authentication mechanism:

None: Anonumous access to service. No authentication of caller.

Windows: Caller provides windows credentials (token or ticket) and service authenticate against windows users.

Username/Password:Caller sends user and password, this credentials validated against database or any credential store.

X509 certificate: Client and service has certification installed already. Service looks up for certificate from caller and authenticate it.

Custom mechanism: developer can develop and implement own authentication mechanism.

Tokens: client and service rely on third party authentication, in this case caller sends token that is authentication in service side.

Besides these authentication mechanism, communication should be secure at communication protocols and messages level as well. I’ll discuss Transfer Security modes here and how WCF support these modes:

Transfer Security Modes

  • None: No security at a all. Service will not get any client credentials. High risk for tampering of messages.
  • Transport Security: transport via secure communication protocols like Https,TCP,IPC and MSMQ. All communications on channels encrypted in these protocols. It is the simplest way of achieving transfer security, and the most performant option. Its main downside is that it can only guarantee transfer security point-to-point, meaning when the client connects directly to the service. Transport security is typically used only by intranet applications where you have more controlled environment.
  • Message Security: In this security, message gets encrypted. It provides privacy and mutual authentication. Encrypted messages can be transported via non secure protocols like http. Message security provides for end-to-end security, regardless of the number of intermediaries involved in transferring the message and regardless of whether or not the transport is secure. The downside of Message security is that it may introduce call latency due to its inherent overhead. Message security is typically used by Internet applications, where the call patterns are less chatty and the transport is not necessarily secure.
  • Mixed: Transport Security for message integrity and privacy, it uses message security for security client’s credentials. Very rarely used.
  • Both: Transport Security + Message Security to provide more security.

How Transfer Security mapped in WCF?

WCF Binding None Transport Security Message Security Mixed Both
basicHttpBinding yes(default) yes yes yes No
netTcpBinding (TCP) yes yes(default) yes yes No
netNamedPipeBinding (IPC) yes yes(default) No No No
WSHttpBinding yes yes yes(default) No No
NetMsmqBinding yes yes(default) yes No yes

Implementation in WCF

Transfer security controlled by enums in .net. Enum can be passed in constructor of bindings. Only valid Transfer Security will be available enums like netNamedPipeBinding only supports none and transport security so only “None” and “Transport” will be available as options.

BasicHttpSecurityMode:

public enum BasicHttpSecurityMode
{
None,
Transport,
Message,
TransportWithMessageCredential,
TransportCredentialOnly
}

Programmatically Implementation in code;

BasicHttpBinding binding1 = new BasicHttpBinding(BasicHttpSecurityMode.Message);
BasicHttpBinding binding2 = new BasicHttpBinding();
binding2.Security.Mode = BasicHttpSecurityMode.Message;

Configuration in Config File:

  • SecurityMode: it is  used in netTcpBinding and WSHttpBinding
public enum SecurityMode
{
None,
Transport,
Message,
TransportWithMessageCredential //Mixed
}

Programmatically Implementation in code

var productEndpoint = productHost.AddServiceEndpoint(typeof(IMarketDataProvider),
new NetTcpBinding(SecurityMode.Transport), "net.tcp://localhost:8000/MarketService");

NetNamedPipeSecurityMode: Use for IPC binding (netNamedPipeBinding)

public enum NetNamedPipeSecurityMode
{
None,
Transport
}

var bindingIPC = new NetNamedPipeBinding(NetNamedPipeSecurityMode.Transport);

NetMsmqSecurityMode: Use for MSMQ binding

public enum NetMsmqSecurityMode
{
None,
Transport,
Message,
Both
}
NetMsmqBinding Binding1 = new NetMsmqBinding(NetMsmqSecurityMode.Message);

 

I’ll cover implementation of different types of authentication in next blog: Something about Security in WCF- II

Advertisements

4 Comments

  1. […] Implement windows authentication and security in wcf Service December 15, 2011 Neeraj Kaushik Leave a comment Go to comments This is continuation with previous post on “Security in WCF -I”. […]

    Like

  2. chavika says:

    Thank you very much neeraj!

    Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Blogs I Follow

%d bloggers like this: