I have the following criteria to help me pick a WCF Http binding. My services need to:
be deployed in an intranet support impersonation/delegation
be interoperable with clients using unknown technology
support transaction flow between client and servers
not use certificates if possible (discards "Transport" security mode)
We need to decide between basicHttpBinding and wsHttpBinding.
Here are a few notes and questions on the three points:
I believe wsHttpBinding with "Message" security mode and "Windows" clientCredentialType would allow me to perform delegation.
The security configuration selected in point 1. to implement delegation does seem to make interoperability complex to support, am I right? The WS-* standards (wsHttpBinding) are definitely interoperable, but combined with "Message" security and "Windows" credential, could any WS-* compatible client invoke my services?
I believe wsHttpBinding seems the way to go here to support transaction flow?
Using "Message" security without certificates seems simpler in our situation?
Thanks in advance
If you want to support transaction flow, you need to use the wsHttpBinding. basicHttpBinding is really just that, a basic XML web service. MS claims it supports the WS-I Basic Profile v1.1 but it looks more like v1.2 since you can use MTOM with that binding.
Both are highly interoperable: wsHttpBinding is an implementation of numerous WS-* standards; what it doesn't support are older SOAP-only clients. That includes anyone using a .NET 2.0 style web service reference, and many forms of Java-based SOAP proxy.
With security, you start to get more of the benefits of a wsHttpBinding showing up. The basicHttpBinding cannot do Windows credentials, though, as you noted, that will limit your interoperability. I suspect you will find it very difficult to authentication non-Windows clients using Windows credentials, but as you indicated, that's the only way to get impersonation to happen. For non-WCF clients running on Windows, you may have more luck, since the client could still get access to the logged-in user's authentication token.
The best way to see how your security modes are going to affect non-WCF clients is to publish the bindings for your service and run the Java wsimport tool against them; if that can produce a working proxy from your WSDL then you should be able to use the service from any client.
Related
I'm new to WCF and have very limited knowledge in WCF security. I have written an WCF service which should be exposed in internet for my clients. I need to Authenticate the clients to use my services. Clients should invoke my service with user id and password. I will do SSL certification as well but apart form that I need some authentication mechanism. Please advice me what binding,security mode, clientCredentialType and related configurations I should do for the security.
You can make use of WSHttpBinding for your services. The binding supports HTTPS transport and WS-Security. Along with this, you can also set security configuration at transport and message level. You can either specify that at ServiceContract or at OperationContract levels.
Here are few MSDN links to get you started:
Bindings and Security
WCF Security Fundamentals
Authentication with Transport Security
Please note that these may be very basic in comparison to your requirements.
It depends on what technology your clients use. If they are all .NET then you have free choice. If you have Java or other clients accessing your services you may have less headaches with BasicHttpBinding, which is completely adequate if you only need username authentication and SSL. The link #danish provided (http://msdn.microsoft.com/en-us/library/ff649647.aspx) shows you how to do that.
I need to create a web service to collect data from my customer’s applications.
Those applications are programmed with different technologies and they all have one thing in common: they can consume plain SOAP Web Service.
I already have a WCF Service that could be exposed but as it was built for internal purpose only, I never had to secure it.
I did read a lot of articles on how to secure WCF service and how to consume it from a Microsoft client application. However, I'm really concern about the customer’s non-microsoft applications abilities to implement a standard WCF Service security. I must keep in mind that some of them might be stateless and unable to hold on to a session or anything that might be required by a secure WCF Service.
So here are the options I have right now.
1) Add username/password parameters to each WCF function and perform a credential check on every call. (I do have an SSL certificate... is it enough to consider this option as secured?)
2) Drop my WCF Service and create a plain SOAP Web Service with username/password parameters as mentioned in option #1 to be closer to my customer’s applications capabilities.
3) Implement standard WCF security and let the customers find a way to deal with it on their own. (The real question here: is WCF security simple enough to be implemented by any SOAP client?)
4) Change my name and move to Jamaica with my customer’s money before they find out that I’m a Web Service security noob.
5) Something else…
So what is the my best option here?
Yes, I can offer the option we use. It sounds like you want basicHttpBinding.
We have a WCF web service using basicHttpBinding and set IIS to use basic http authentication.
Therefore non-.NET clients can consume it easily (basicHttpBinding) and we can give them an Active Directory domain account that allows them access via IIS. No usernames / passwords to constantly send back and forth through the web service and it runs over HTTPS for security.
It's currently being consumed by PHP, Java and .NET clients. Yes, .NET clients can still import this as a service reference which makes thing like trapping FaultExceptions easier.
No solution is perfect for everyone but works great for our needs.
Yes, but certain configurations favour certain vendors. See the WCF Express Interop Bindings project on CodePlex:
http://wcf.codeplex.com/wikipage?title=WCF%20Express%20Interop%20Bindings
They offer settings for interop with:
Oracle WebLogic
Oracle Metro
IBM WebSphere
Apache Axis2
The Oracle Metro (previously known as SUN WSIT) stack is by far the most advanced as regards the WS-*/Oasis standards.
As the name states... right now I'm using BasicHttpBinding, but I'm wondering if I can switch to WSHttpBinding and still be interoperable with, for example, Java.
wsHttpBinding and the newer ws2007HttpBinding both implement WS-* standards. You may have to configure the details so that they interoperate with your specific clients.
WSHttpBinding offers a lot of interoperable features but in the same time it by default uses message security with Windows authentication, service credentials negotiation over SPNego protocol and security context (WS-SecureConversation). Windows authentication and SPNego are not good candidates for interoperability and secure conversation doesn't have to be provided by older SOAP stacks.
So the answer is "it depends". You usually have to configure WSHttpBinding to be interoperable with Java. Moreover you don't have "full" control over used protocols (especially for security part) so sometimes you will use custom binding for interoperability.
I have an application that uses Silverlight and ASP.NET as a front-end. It retrieves data from the server by calling some RESTful WCF services that are hosted there. I'd like to prevent the curious user from opening up a new browser window and calling the web service themselves. Is there a way to restrict access to the web services to a specific application?
Thanks!
You can use HTTPS to secure the endpoint and require authentication. You can put an obnoxiously long secret key embedded in the code. Unfortunately, System.Security.Cryptography is not in the SL install, so no encrypt on server/decrypt on client capabilities. And there's no reason the user couldn't just use something like reflector to read the code anyway.
SL can be made "mostly securish", but definitely not secure.
Here's the guide of the Patterns & Practices team for WCF Security. There's a lot to be found there.
http://www.codeplex.com/WCFSecurityGuide
If you're truly interested in securing your web services, you should think about migrating from RESTful services to SOAP Based Web Services and implementing the WS-Security standard for Message based Encryption.
You can then secure your services so only clients that have the proper security information (be in username/password or X.509 certs) can call your web services.
Update
As you can see...I've removed X.509 as an option. I blanked for a moment and forgot the WS-Security limitations in Silverlight. The good news is that you can implement username tokens based on the WS-Security standard in Silverlight:
Implementing Username Password & WS-Security with Silverlight
No there's not.
An exploratory question, here. After some reading, I'm getting a sinking feeling that WCF's authentication options aren't "friendly" to non-Microsoft clients, or require a great deal of effort to implement. I'm building a REST WCF service for which I wanted some kind of simple digest authentication; e.g. I store a username and password in Web.config and share that with the team that will use the service. The team that will consume this service is a legacy shop not versed in Microsoft tooling or helpers; e.g. ANSI C/C++, PHP, etc.
Anyway, MSDN tells me that digest authentication requires that the server be in a domain. I don't want or need this service to be in a domain. That seems like an odd requirement. So I dismissed that option.
So I read about NTLM and Windows authentication, but I worry that I'd be imposing a burden on the other team by only supporting Microsoft-flavored, proprietary authentication methods; won't they have to put forth a lot more effort to code against such a service? These methods seem intrinsically tied to concepts like Windows domains and user accounts, etc.
If you just look for "friendliness" then you can go for basic authentication which is pretty much supported everywhere.
However, unless that is coupled with some kind of transport level encryption then passwords will be transferred in clear text - a pretty bad situation security-wise.
NTLM and kerberos authentication is supported by several non-WCF technologies does but a burden/requirement on the environment in which the are used.
You could look into some kind of message level authentication meaning that the credentials will be part of the message instead of handled by the transport. WCF supports the WS-* specifications that relate to message level security. Those specifications are again not tied to WCF or Windows.
I sounds like the simplest way in your setup would be to use basic authentication and use HTTPS for the transport.
Windows Authentication is intended for use in intranet services where there is a domain controller you can use to manage your credentials and authorization.
You need to check the Forms Authentication, that will probably meet your needs.