We currently use a Weblogic client to talk to a WCF web service which is setup with a security mode of TranportWithMessageCredential. This allows us to authenticate over HTTPS using username/password sent as part of the HTTP bindings.
We're now trying to do the reverse -- WCF client talking to a Weblogic 12c web service, with the same authentication scheme. I think we have the client under control.
But how does one set up a Weblogic server is this fashion?
Related
It is advised that asp net core must use a strong web server such as web listener
or a proxy as an internet gateway. My question is: is the build in reverse proxy strong enough to be that role? If I use asp net core + kestrel in my internal service and all external communication goes through reverse proxy after load balancer, is it secure?
Short answer: no
It's just a proxy with some smart retry logic.
You want to put a WAF, or Azure API manager, in front of it if you want to publish all your internal services to the internet and use kestrel, or use web listener for all your services.
Yes.
"The reverse proxy is built on the same Windows HTTP Server API (http.sys) that WebListener uses which provides the DoS protection that is currently missing from Kestrel." - Vaclav Turecek (github)
Scenario
WCF service on our public DNN website using a WsHttpBinding over SSL.
security mode is TransportWithMessageCredential
Requires Username and password authentication
One WCF client consuming the service on our Intranet
I understand the basic idea of point-to-point security using SSL, but my question is - can I still have point-to-point security if my client app (on our Intranet) is connecting to a WCF service on our public website over SSL? Does this service being on the Internet open it up for "man in the middle" attacks considering the communication is going over the Internet? Am I not fully understanding man in the middle attacks?
I should note, the app on our Intranet is the only client that will be using this service or at least, this isn't something that I'm going to allow (give out other username/passwords) anyone else to consume or use.
Thanks
I have a wcf service which is connected to an adfs as a relaying party. This adfs is acting as a identity provider. now in client side there is a Java client which want to call the wcf service but before that it have to authenticated in adfs with username and pass for token. I have successfully done it for .Net client but do not have any idea for java client..Can anyone help?
For web services, ADFS uses WS-Trust.
The Metro stack e.g. implements this but for a standalone client you probably need something like axis2 which implements this via Apache Rampart.
I have a silverlight 4 application which needs to consumes some services hosted on a Java (I think CXF) Web Service.
For some reasons, I can't access directly the service so I have to go through a relay service.
I created a WCF relay service.
The service uses SOAP 1.2 and WS addressing 1.0
What I ask is.. what level of security can I reach?
The ideal situation is to use a mutual authentication of the server (CXF) and my client.
If Silverlight does not support this, the second possibility is to have a "simple" https connection between my silverlight client and my relay server, but then, is it possible to "add" a mutual authentication between the relay and CXF? Or the only possible solution is to have a simple SSL connection with only the server authentication?
I have created and tested a WCF REST service that is protected with SSL and Windows Authentication through IIS 7. I have also created and tested a pure html/javascript web client that is hosted in IIS 7 that is protected with SSL and Windows Authentication -- same server, different "site" within IIS. The REST service is not public, but the web client is.
Without security, everything works beautifully, but now we are ready for field testing and security must be implemented.
My end goal is to have the user visit mywebclient.com and authenticate using their Active Directory accounts. Initially I thought it would be safe to leave the service calls from the client to the REST service unprotected (since the traffic from the web client to the web service would be internal), but this does not protect us from an internal attacker. Also, in the future, the REST services will be available to handhelds through native applications.
I've tried to gain as much information on this subject as possible, but every piece of Microsoft documentation contains client examples written in .NET.
How can I share the security context between these sites without converting the web client to a .NET-based application? Could this be accomplished by combining the web client and service into one IIS "site"?
Edit: If the client and service exist in the same app pool, does that mean they could share authentication information between client and server processes?