Silverlight, WCF service relay and security - wcf

I have a silverlight 4 application which needs to consumes some services hosted on a Java (I think CXF) Web Service.
For some reasons, I can't access directly the service so I have to go through a relay service.
I created a WCF relay service.
The service uses SOAP 1.2 and WS addressing 1.0
What I ask is.. what level of security can I reach?
The ideal situation is to use a mutual authentication of the server (CXF) and my client.
If Silverlight does not support this, the second possibility is to have a "simple" https connection between my silverlight client and my relay server, but then, is it possible to "add" a mutual authentication between the relay and CXF? Or the only possible solution is to have a simple SSL connection with only the server authentication?

Related

Restrict the client connection in WCF service

I have created a WCF service and hosted it in console application. I have 2 client applications which will communicate with that WCF service, now I want to restrict 3 clients to connect to this WCF service.
Is there any way to reject the connection at server side for 3rd client?
Or is there any way server can validate the connection before establishing with
client?
Server side code
Uri httpBaseAddress = new Uri("net.pipe://localhost/ServiceHost/ServiceHost");
studentServiceHost.AddServiceEndpoint(typeof(StudentService.IStudentService), binding, httpBaseAddress);
studentServiceHost.Open()
If you want to stop 3 Clients from Connection to the service at the same time you can use the maxConnections attribute of the binding, setting it to 2.
If you only want specific Clients to Access Your service. Then you need to set up authentication, see: WCF self hosting require authentication

wcf security intranet nettcpbinding client non-domain account - options

The WCF service is hosted on IIS 7.0. The WCF client is a Windows service running under the Local System Account. Both the service and the client are hosted in the intranet. The binding I am using is the netTcpBinding with Transport security. Message security cannot be used because of Streaming. Certificates cannot be used because of deployment considerations. What are my options to ensure the best possible security in this scenario?

WCF over SSL - Can I still have point-to-point over the Internet?

Scenario
WCF service on our public DNN website using a WsHttpBinding over SSL.
security mode is TransportWithMessageCredential
Requires Username and password authentication
One WCF client consuming the service on our Intranet
I understand the basic idea of point-to-point security using SSL, but my question is - can I still have point-to-point security if my client app (on our Intranet) is connecting to a WCF service on our public website over SSL? Does this service being on the Internet open it up for "man in the middle" attacks considering the communication is going over the Internet? Am I not fully understanding man in the middle attacks?
I should note, the app on our Intranet is the only client that will be using this service or at least, this isn't something that I'm going to allow (give out other username/passwords) anyone else to consume or use.
Thanks

WCF and CipherSpecs (SSL_RSA_WITH_AES_128_CBC_SHA)

I have a 3-tier application where server is Windows service and client connects to it using WCF. I need to provide some integration with 3-d party application. For this I plan to implement separate integration service and host it with WCF. But one of most important requirements is to use SSL v.3.0 CipherSuite - SSL_RSA_WITH_AES_128_CBC_SHA to secure connection between server and 3-d party application.
My question is: how to configure my WCF service to enable SSL v.3.0 CipherSuite - SSL_RSA_WITH_AES_128_CBC_SHA?

Secure WCF service

I am very new to using WCF services. Right now I have a WCF service that I call using jQuery. I'm concerned about users making unauthorized calls to the service. What would be the best way to secure my service?
If this is a browser app and you're worried about security, presumably you already have some sort of authentication mechanism (cookies, sessions, something). All these are accessible from WCF services (I'm assuming you're using webHttpBinding or basicHttpBinding?) via the WebOperationContext.Current.IncomingRequest property. You can check/validate a cookie (or whatever else) from your service code, or write a cross-cutting MessageInspector to apply the check to all methods on your service behavior. WCF services also can be integrated with traditional ASP.NET authentication (forms, etc) if you host the service with the compatibility flag. The browser app logs in normally, and your service can consume the credential/token/whatever.
you can use a certificate to sign the WCF messages (it's all in the WCF Settings) on both sides (client and server)
Here is some detailed explanation:
Message Security