Can someone please explain to my how the flow is when i have a Silverlight Application that uses WCF Ria and Entity framework. So I better understand where to secure the transport of information.
I think of it as, the user enter the website and the silverlight application is downloaded to the users computer. Then if the user what to create a new entry, he enter the details, and then a new instance of the service is create. The service is on the web project with the silverlight application. Then the information is sent to the webservice on the web project, and from the webservice the information is sent to the server where the DAL is.
All the information is sent in XML.
And i have to secure it from the user to the web service, and from the webservice to the server where the DAL is.
Am I right, or is it completely wrong?
Thanks
The best way I founded to cypher data between client and server with WCF was setting the EnableClientAccess to require a secure endpoint in the DomainService:
[EnableClientAccess(RequiresSecureEndpoint = true)]
public partial class DomainService : LinqToEntitiesDomainService<YourEntities>
Related
I need to host a WCF service that will give its clients access to internal business systems on a public facing web server. Obviously I must secure this so that no one from the outside world even knows the service exists, let alone be able to call methods and access the data it exposes.
The overall idea is that the public facing website hosted on the same machine will call the WCF service and then the WCF service will provide it with the required data...
Public Facing Web Site <-> WCF Service <-> Business Systems / Databases
So I need to understand how to secure the service so it can only be accessed via the public facing website.
Ideas I had..
IIS filtering so that the IIS Site hosting the WCF service will only accept requests from a certain IP address.
Obscure port that will not be allowed through the public facing firewall.
Protocol such as NetTCP or NamedPipes
But what about the actual WCF security set up? As both the Public Facing Site and the service are on the same machine is Windows Authentication as option? Questions I have regarding this are...
Should the service client and the service simply use Windows Authentication?
Do I need specific user accounts as opposed to Network Service? If the website runs under network service would this then automatically authenticate to the service?
My objective is that someone in the outside world should not know of the services existance or be able to make access to it.
Thanks in advance.
Technical environment is: IIS7, .Net 4 and WCF 4.
I would suggest you create a http handler '.ashx' and use that as the endpoint for client requests.
If your using asp.net you can secure it by using simple forms authentication and retrieving username and password from the request headers to authenticate the request.
Then execute any requests to your business webservices which is also secured by your forms authentication.
Cheers
I have a one question about WCF web service security.Currently, we are developing one android mobile project and using wcf web service for data transfer and manipulation.
We use basicHttpBinding and hosted the web service as Window Service.
We don't have any security mode at the moment and I am afraid of every one can consume our web service if they know the service address.
For example, we have one service method and that will return string value. Currently, I can add that service to other visual studio project and mobile project and we can consume any time.
//WCF Service Method
public string DoWork()
{
return "This is return string!";
}
//We can consume it like below from other dot net project by adding service reference.
//Actually, those are not real client.
ServiceReference1.WebServiceClient serv = new TestingPrj.ServiceReference1.WebServiceClient();
string result = serv.DoWork();
My question is how can I secure my web service for real clients? I don't want other projects and people to consume our web services.
The simplest method is to use Basic Authentication over SSL. Basic Authentication requires the client to have a username/password pair, which only your application will know. If the authentication is purely to know if your client is the right one (rather than knowing which user is connecting), then you can use a single, hard-coded username/password.
SSL should be used as well so the credentials don't travel the wire in plain-text and can potentially be sniffed.
Using ssl certificates is the most secure way.
I'm using WCF to build some REST-based services. These services will be connected to via client-side Silverlight and Java applications. I would like to know some information about the requester. My question is, what class exposes requester information in WCF and how do I access it?
I know in ASP.NET I can use HttpRequest. I can even get more details via the HttpRequest.Browser property.
I just read about this:
WebOperationContext.Current.IncomingRequest
where you should info about the clinet and the http request headers.
Hope it helps.
Here is my question, I have a solution with 4 projects in it for a WCF Service :
DLL Library : Service Interface.
DLL Library : Service Code.
Form Application : Service hosting application.
Form Application : Service client application.
I'd like to have certain properties of the service accessible for the hosting application but not for the client one. If I declare a property in the client interface they will both have access to it.
In fact, my service manage user identity login and keep a list of all user currently logged in. I'd like to be able to show this list in the Hosting application, like a debugging tool. But I don't want the service client to be able to access to this list.
How can I do ?
Thank in advance.
You can put put that code into "2" (service code). Since you only share an interface with the client it will not be exposed.
Also, if that logic (authentication and authorization) is "hosting app" specific maybe it should be in the hosting app itself rather than a service code.
I have this existing environment:
1) ASP.NET 3.5 web application
2) forms authentication with the SqlMembershipProvider
I need to add the following:
1) a Silverlight charting object embedded in a web page.
2) a WCF service to be consumed by:
a) the Silverlight component embedded in an authenticated
web page, as mentioned above
b) server-based WCF clients with certificate based authentication
My question is - what is the easiest/best way to configure the WCF endpoints for the Silverlight object to authenticate to the WCF service using the security context of the already logged-in user (via the page that’s hosting the Silverlight object) without having to use the user's username/password again?
I've researched a lot of the MSDN and Patterns & Practices material and I thought I had a decent grasp of many of the potential authentication scenarios. But I can't seem to figure out a way to tie them together for the scenario I've outlined. I've found other people posting similar questions to mine but none of the answers I've read seem to fully answer their questions either. (Maybe I'm making this harder than it needs to be?)
I would think that the solution would be to somehow use the authentication token/cookie generated in the asp.net form login and somehow pass that to the Silverlight object which then includes it in the WCF request. But I don't see how to configure the WCF endpoint to use that token.
(In some of my other projects I've implemented the server-to-server scenario in 2.b above using certificate-based authentication, so I'm not too worried about adding that to the current mix I've outlined.)
Thanks in advance for any insight or pointers to the path forward.
Terry
Thanks codemeit for trying to help but I finally figured out what I was doing wrong - it was pilot error.
In trying to configure the endpoints for my Silverlight app I was testing with an asp.net page. I finally realized that when I test that way, the client endpoint is no longer originating from the authenticated browser - the client endpoint is the IIS server which in turn executes the request against the WCF server endpoint. So the security context changes and HttpContext.Current.User.Identity is always empty at the WCF server endpoint.
Once I got my test SL app running in the browser, it automatically inherited the security context of the authenticated browser and then HttpContext.Current.User.Identity was correct and authenticated at the WCF server endpoint.
Have you tried to enable your WCF services with aspNet compatibility, then see if the following is true.
string currentUserName = HttpContext.Current.User.Identity.Name;
bool isLoggedIn = HttpContext.Current.User.Identity.IsAuthenticated;
if these properties are being populated with the expected values, then this is the one you are after.
To enable aspNet Compatibility
add to web.config
<serviceHostingEnvironment aspNetCompatibilityEnabled="true" />
add to the service impl class
[AspNetCompatibilityRequirements
(RequirementsMode=AspNetCompatibilityRequirementsMode.Required)]
In this case, the endpoint would be using basicHttpBinding, and you could check the authentication at run time within WCF.