I'm new to WCF and IIS.
Suppose I set up a WCF service with wsHttpBinding and Message Security and Windows authentication. Does that mean I don't need to use https on my IIS server? Ie. Is the message secure or isn't it?
Let me know if there is any further information I can provide.
Yes, the message is secure as it will be encrypted and signed by WCF in case of Message security. But make sure you considered all disadvantages of massage security. The most significant are: 1. Poor interoperability. 2. Worse performance compared to transport security.
For more details please refer to this article Message and Transport Security
You will also find the scenarios where it is best to use message security.
start with transport and message security understanding. We will then see simple code samples of how to implement transport and message security using WsHTTP bindings. We will also see the differences between ‘BasicHttpBinding’ and ‘WsHttpBinding’ with the help of a simple code. WCF security is a huge topic by itself, but I am sure with this article you will get a quick start of how to go about WCF security
http://www.codeproject.com/Articles/36732/WCF-FAQ-Part-3-10-security-related-FAQ
Related
I'm new to WCF and have very limited knowledge in WCF security. I have written an WCF service which should be exposed in internet for my clients. I need to Authenticate the clients to use my services. Clients should invoke my service with user id and password. I will do SSL certification as well but apart form that I need some authentication mechanism. Please advice me what binding,security mode, clientCredentialType and related configurations I should do for the security.
You can make use of WSHttpBinding for your services. The binding supports HTTPS transport and WS-Security. Along with this, you can also set security configuration at transport and message level. You can either specify that at ServiceContract or at OperationContract levels.
Here are few MSDN links to get you started:
Bindings and Security
WCF Security Fundamentals
Authentication with Transport Security
Please note that these may be very basic in comparison to your requirements.
It depends on what technology your clients use. If they are all .NET then you have free choice. If you have Java or other clients accessing your services you may have less headaches with BasicHttpBinding, which is completely adequate if you only need username authentication and SSL. The link #danish provided (http://msdn.microsoft.com/en-us/library/ff649647.aspx) shows you how to do that.
I have the following criteria to help me pick a WCF Http binding. My services need to:
be deployed in an intranet support impersonation/delegation
be interoperable with clients using unknown technology
support transaction flow between client and servers
not use certificates if possible (discards "Transport" security mode)
We need to decide between basicHttpBinding and wsHttpBinding.
Here are a few notes and questions on the three points:
I believe wsHttpBinding with "Message" security mode and "Windows" clientCredentialType would allow me to perform delegation.
The security configuration selected in point 1. to implement delegation does seem to make interoperability complex to support, am I right? The WS-* standards (wsHttpBinding) are definitely interoperable, but combined with "Message" security and "Windows" credential, could any WS-* compatible client invoke my services?
I believe wsHttpBinding seems the way to go here to support transaction flow?
Using "Message" security without certificates seems simpler in our situation?
Thanks in advance
If you want to support transaction flow, you need to use the wsHttpBinding. basicHttpBinding is really just that, a basic XML web service. MS claims it supports the WS-I Basic Profile v1.1 but it looks more like v1.2 since you can use MTOM with that binding.
Both are highly interoperable: wsHttpBinding is an implementation of numerous WS-* standards; what it doesn't support are older SOAP-only clients. That includes anyone using a .NET 2.0 style web service reference, and many forms of Java-based SOAP proxy.
With security, you start to get more of the benefits of a wsHttpBinding showing up. The basicHttpBinding cannot do Windows credentials, though, as you noted, that will limit your interoperability. I suspect you will find it very difficult to authentication non-Windows clients using Windows credentials, but as you indicated, that's the only way to get impersonation to happen. For non-WCF clients running on Windows, you may have more luck, since the client could still get access to the logged-in user's authentication token.
The best way to see how your security modes are going to affect non-WCF clients is to publish the bindings for your service and run the Java wsimport tool against them; if that can produce a working proxy from your WSDL then you should be able to use the service from any client.
If my Wcf Service and Web Application, both are in same server and if i want to access my web app over internet means which WCF security i have to use and why ?
Please advise me :)
Thanks
Kishore
It depends on binding and the context usage and not on transactions which is a different topic.
The intranet bindings (NetTcpBinding, NetNamedPipeBinding, and NetMsmqBinding) all
default to Transport security. Thus, no special programming is required on behalf of
the service or client developer. The reason is that on the intranet calls are typically
point-to-point, and Transport security yields the best performance. However, the intranet
bindings can also be configured for the None transfer mode; that is, they can be
used on the same transport protocol, only without security. The NetNamedPipeBinding
supports only None and Transport security—there is no sense in using Message security
over IPC, since with IPC there is always exactly one hop from the client to the
service. Also note that only the NetMsmqBinding supports the Both mode.
The Internet bindings all default to Message security, to enable them to be used over
nonsecure transports (that is, HTTP) and to accommodate multiple hops and
intermediaries.
I am implementing wcf web service hosting in IIS with basicHttpBinding those should be accesseble by .net 2.0 client like accessing ASMX services.
Any body can help with details & with few example/sample code.
thanks
nRk
WCF is more secure than ASMX and insists the basic fact that it never allows you to send plain-text credentials without encrypting those.
You need to ask yourself a few qusetions here:
how do I protect my messages going from the client to the server, so that the username/password is not sent as plain text?
how do I check the validity of the username/password once the message arrives at the server?
For the first point, you can do a number of things:
secure the transport layer, e.g. use HTTPS (with SSL) to protect the entire pipe going from the client to the server. In that case, you don't have to do much else - the whole communication channel is protected
secure the message (at least the username/password part) using encryption. In that case, you need to have at least a service certificate on the server, so that the calling client has a shared secret to encrypt the message - or you need to install a certificate on the client (usually not a good idea if you want everyone to call your service)
For the authentication part, you need to decide on:
using the ASP.NET membership subsystem which already has a user table against which you can validate the credentials provided
or roll your own from scratch - not recommended unless you really really have to and have a very specific need
WCF security is not an easy topic - you can find helpful information and scenarios on how to do certain things here:
WCF Security by the MIcrosoft Patterns & Practice group
Declarative WCF Security by Juval Lowy
With just the few pieces of information you provided, one cannot really give a "do this and that" kind of answer. You need to read up on WCF security and decide on what scenario you want to implement. I'm sure folks here can help you with more specific questions about how to achieve certain things in WCF security, if your questions are more focused on a particular problem / issue.
I'm creating a simple web service using WCF. The message needs to be encrypted and the user need to be authenticated through an asp.net provider.
What binding should I use for this? WsHttpBinding or WebHttpBinding?
Can anybody point me to a good example using the asp.net provider and self signed certificates with wcf.
Thanks
You say that the message needs to be encrypted, but don't specify whether you have a specific requirement for message-level encryption or if transport encryption might be enough.
If you transport-level encryption is enough, then BasicHttpBinding + SSL would work.
Otherwise, you'd use WSHttpBinding and configure message-level encryption. Of course, the decision might also be tied to the capabilities of any clients you want to consume the service.
You also mention WebHttpBinding, but that's used only for REST-style services. Is your service REST style? If so, then your only option would be SSL and using transport-level authentication, I think.