I have a few WCF Services with wsHttpBinding with TransportWithMessageCredential security. Windows credentials must be provided on each request and therefore are used for authentication (by design by AD), authorization (with AD by AZman) and to identity the user who performed the action (auditory purposes).
The thing is now I need to perform some load tests on these services, using Jmeter, and I'm strugling how can I authenticate the user for each request, I was wondering if anyone had ever mede this?
I really need to test with this security concern because the authentication and authorization processes are part of the load tests itself. I could remove them but then the load tests wouldn't be accurate.
The solutions I have in my mind are:
Ensure this is possible to achieve via JMeter
Create a WCF Routing Service on top of these services, exposed as basicHttpsBinding which then routes the requests to appropriate destination service, performing impersonation (seems to be a choise but it is not the original test case as well)
Remove security for load test purposes, but then a part of the tests would be removed as well (along with security)
Out of box JMeter doesn't support any SOAP security implementations so you might want to use i.e. WS Security for SOAP plugin
You should be able to provide your Windows credentials via SOAP Message UsernameToken
and the plugin will generate the relevant wsse:Username token
More information: Running SOAP WS-Security Load Tests in JMeter
Related
I have read about various implementations of authentication and authorization for WCF, starting from reusing some built in .NET and WCF features and ending with completely custom implementations.
But there are so many factors to take into account, so I'm confused about how to implement it for my intranet business application project.
Here is what I need:
- WCF .NET 4.5 services will be hosted in IIS 7 or newer.
Most probably, ASP.NET compatibility will be disabled.
Protocol will be HTTP with BasicHttpBinding, but it might need binary serialization to minimize traffic.
WCF method will receive a custom session ID which will be checked against a user session object in a database. No .NET sessions are allowed in this project.
After receiving the ID, the service will read the corresponding user data (including authorization flags to see if the user is allowed to execute the current operation) and validate it. If data is invalid, an exception will be thrown and the WCF operation won't be executed. If validation succeeds, the identity of the user will be stored in a current operation context (and also current thread principal) so it can be accessed by various components during the WCF operation execution.
All the authentication&authorization should be done transparently before the execution of the WCF operation - without additional efforts from programmers who will create the WCF methods.
I need access to the WCF operation name being executed, when I perform the auth validations, so I can throw an exception if the user does not have permissions to execute the operation.
testers will use SoapUI, so they'll need to be able to pass the session ID through standard SOAP or HTTP headers.
Which would be the most straightforward way to implement my auth routines? Should I use a custom binding? Custom behavior? Some kind of a built-in request event handler (which one exactly, and will they work if ASP.NET compatibility is disabled)? Authorization policy (seems a bit overkill because I won't be using most of its built-in features anyway)? Something else?
You can try making use of Message Inspectors. Your session ID can be passed like a token through SOAP or HTTP Headers and will be inspected by WCF through your defined behavior before it executes the actual service operation.
You can check the articles here and here, particularly focusing on the IDispatchMessageInspector interface which offers the "AfterReceiveRequest" and "BeforeReceiveReply" methods.
I have a web service that accepts CAS proxy tickets over HTTP Basic authentication headers via Spring Security. How do I perform integration testing with my client since there seems to be no programmatic way to fetch CAS tickets?
Since the CAS setup is one of the more tricky aspects of the project configuration I really need that to be part of our automated integration tests but I have hit a roadblock.
You be interested in the CAS RESTful API: https://wiki.jasig.org/display/CASUM/RESTful+API
The RESTful API follows the same basic protocol as the original CAS2 protocol, augmented with some additional well-defined resource urls. This is particularly helpful for applications that need to programmatically access CAS.
Hope this helps.
I am very new to using WCF services. Right now I have a WCF service that I call using jQuery. I'm concerned about users making unauthorized calls to the service. What would be the best way to secure my service?
If this is a browser app and you're worried about security, presumably you already have some sort of authentication mechanism (cookies, sessions, something). All these are accessible from WCF services (I'm assuming you're using webHttpBinding or basicHttpBinding?) via the WebOperationContext.Current.IncomingRequest property. You can check/validate a cookie (or whatever else) from your service code, or write a cross-cutting MessageInspector to apply the check to all methods on your service behavior. WCF services also can be integrated with traditional ASP.NET authentication (forms, etc) if you host the service with the compatibility flag. The browser app logs in normally, and your service can consume the credential/token/whatever.
you can use a certificate to sign the WCF messages (it's all in the WCF Settings) on both sides (client and server)
Here is some detailed explanation:
Message Security
Is there a clean way to expose a WCF REST service that requires basic authentication, but where we handle the actual validation of the username/password ourselves? It seems that when you tell WCF in config that you want to use basic authentication, it forces you to turn on basic authentication in IIS and IIS can only do basic authentication against window accounts.
The only hack we have found is to lie to WCF and tell it there is no security on the service and then do authentication outside of the WCF stack using a generic IHttpModule (which has a proprietary config file to indicate which URLs have which authentication/authorization requirements).
It seems like there should be a better way. Anyone have one?
The WCF REST Contrib library enables this functionality:
http://github.com/mikeobrien/WcfRestContrib
It also allows you to secure individual operations.
is the username and password set on the client like:
cc.ClientCredentials.UserName.UserName = ReturnUsername();
cc.ClientCredentials.UserName.Password = ReturnPassword();
Or are they embedded in the body of the REST message?
If the former, you can use a custom UserNamePasswordValidator:
http://msdn.microsoft.com/en-us/library/aa702565.aspx
If the latter, you can set the service to no security, and use a custom ServiceAuthorizationManager to validate the contents of the message:
http://msdn.microsoft.com/en-us/library/ms731774.aspx
Hope one or the other helps! I'd try to post sample code & config, but I'm # home and dont have access to code, which is all # work.
See Custom Basic Authentication for RESTful services. Pablo's approach uses the interceptor functionality that is provided via the REST starter kit to solve the problem. If you do not want to depend on the REST starter kit, then you can create your own service host and use the inteceptor functionality provided.
If you host it on IIS, using custom http module is the way to go. You can bring over the principal over to WCF side to do code access security. See HTTP Basic Authentication against Non-Windows Accounts in IIS/ASP.NET (Part 3 - Adding WCF Support). Also see Custom HTTP Basic Authentication for ASP.NET Web Services on .NET 3.5/VS 2008.
If you are not using IIS, you should be able to implement userNameAuthentication. See Finally! Usernames over Transport Authentication in WCF.
Yes absolutely there is a way. You need to configuring a custom userNamePasswordValidationMode value for your service and point it to a class with an overridden method that can inspect and validate the credentials provided. When making a RESTful call, these credentials when using Basic authentication in its proper form should be in the request header. With this custom method you can inspect the credentials and then authenticate the client to your service. No Windows accounts or domain even needed.
The nice thing is you can then take that security context to the next level and provide fine-grained authrization at the method level. You might have instances where a large pool of clients are able to access the service, but not all methods within (i.e. paid clients vs. unpaid). In this case you can also provide authorization at the method level as well if needed.
Below is a step-by-step solution (with too many steps to embed) by me that contains both the needed configuration and security required to have a complete solution. The problem is often Basic authentication is used without securing the Transport with a SSL certificate and this is bad. Make sure to follow all the steps and you will implement Basic authentication without the need of any type of Windows accounts or configuration on your WCF RESTful based service.
RESTful Services: Authenticating Clients Using Basic Authentication
The environment is in-house service based applications running in a Windows environment with WCF.
There are several "middle-tier" ASP.NET Web Applications and Web Services that authenticate the final client using Windows authentication, and use ASP.NET Roles to set Thread.CurrentPrincipal to a suitable RolePrincipal. These applications each run under their own service account, which is a domain account, and are considered to be trusted subsystems.
Some back-end WCF web services that may only be accessed by these trusted "middle-tier" applications. They use Windows Authentication to limit access to the service accounts used by these applications.
We now have a requirement for the back-end services to audit the identity of the final client whose call to the middle-tier application resulted in the call to the back-end service.
To avoid making any application changes, I was thinking of writing an endpoint behavior which inserts a SOAP Header with the final client's identity into the request sent to the back-end service. Note that the middle-tier applications are trusted, so no authentication of this SOAP Header would be required.
It occurred to me that this requirement may not be unique, so before I invent my own SOAP Header for this purpose I thought I'd ask if there exist any standards in this area I could reuse?
It sounds like you're after WCF Impersonation, check out the MSDN Link or Google that search term for more info. I've never used it myself so can't fully advise, but hopefully it's what you're after. Good luck
Edit: Does the WCF OperationContext not carry through the identity to the second phase? (OperationContext.Current.ServiceSecurityContext.PrimaryIdentity.Name)