I have created a WCF service which is hosted on a windows service over NetNamedPipeBinding protocol.Now I want to provide security to this service, as in users with username and passwords known only should access this service.So how do I provide a method level authentication to users to access this service?
NetNamedPipe binding doesn't support message level security out of the box. That would require custom binding. NetNamedPipe binding works only when both service and client are running on the same machine so there is assumption that if user has permissions to log in and the service is running she have also permission to call it. If you need to restrict users who can call the service you can always use custom authorization manager or role based security.
Related
I need to host a WCF service that will give its clients access to internal business systems on a public facing web server. Obviously I must secure this so that no one from the outside world even knows the service exists, let alone be able to call methods and access the data it exposes.
The overall idea is that the public facing website hosted on the same machine will call the WCF service and then the WCF service will provide it with the required data...
Public Facing Web Site <-> WCF Service <-> Business Systems / Databases
So I need to understand how to secure the service so it can only be accessed via the public facing website.
Ideas I had..
IIS filtering so that the IIS Site hosting the WCF service will only accept requests from a certain IP address.
Obscure port that will not be allowed through the public facing firewall.
Protocol such as NetTCP or NamedPipes
But what about the actual WCF security set up? As both the Public Facing Site and the service are on the same machine is Windows Authentication as option? Questions I have regarding this are...
Should the service client and the service simply use Windows Authentication?
Do I need specific user accounts as opposed to Network Service? If the website runs under network service would this then automatically authenticate to the service?
My objective is that someone in the outside world should not know of the services existance or be able to make access to it.
Thanks in advance.
Technical environment is: IIS7, .Net 4 and WCF 4.
I would suggest you create a http handler '.ashx' and use that as the endpoint for client requests.
If your using asp.net you can secure it by using simple forms authentication and retrieving username and password from the request headers to authenticate the request.
Then execute any requests to your business webservices which is also secured by your forms authentication.
Cheers
I'm using custom basic authentication module (http://www.custombasicauth.codeplex.com) for authenticating users in WCF service. I've used a custom membership provider and in the ValidateUser method I've making a db call and returning true if the authentication succeeds. I also created a binding that uses transport security for the WCF service. Everything works fine now the problem is the client want two endpoints to be created for the WCF service and the custom basic authentication should happen for one endpoint not for the other.
Is it really possible to achieve this by using the custom authentication module or I have to try some other ways?
This is not possible when hosting your service in IIS. IIS has authentication scoped per whole virtual directory and your endpoints are exposed on the same service = single resource in single virtual directory. You must either move to self hosting and host service in windows service (you will not need that module anymore) or you must deploy the service again to different virtual directory or web application and change security configuration in each deployment separately (= every endpoint will be in separate deployed service).
I have created a WCF service which is deployed on my local machine. This service exposes one method which start/stop a windows service on my local machine.
On the remote machine I have created a client that consumes the WCF service. When I try to invoke the method which start/stop service exposed from a WCF service , I get InvalidOperationException . I found that this is the Security issue.
Also when I do the same operation (start/stop windows service) on the local machine it works!!
The WCF service is hosted on IIS 7.0 which is using basichttpBinding. Also Anonnymous access is checked. I have also added <identity Impersonate = true > under the web section in the web config file but still no success.
Please help!!
You set impersonation for ASP.NET. Impersonation in WCF uses its own infrastructure. Moreover in WCF client has to allow service to impersonate his identity. Check this simple example.
I have a web project that has Anonymous access and Integrated Windows authentication enabled. I built a WCF Data Service and since it allows only one authentication, I enabled Integrated authentication on the service. I am able to view the service in browser. However when I try to query the service for any Entity, it gives me Forbidden error. I tried to enable Anonymous access on service too, but it does not work.
Do I need to give it some other access or it is not possible to enable one authentication on the service itself keeping the project virtual directory as Anonymous and Integrated.
Update: I do no have any operations in my Data Service. For the entities, I have already set the "All" permission on all entities.
Only one authentication method is permitted on a WCF Data Service.
If you choose to go the Integrated Security route then you need to set the credentials after constructing the DataServiceContext.
Something like this would work for using the current user's Windows identity.
employeeEntities = new EmployeeDataService.EmployeeEntities(new Uri("http://.../employeedata.svc"));
employeeEntities.Credentials = CredentialCache.DefaultCredentials;
I am very new to using WCF services. Right now I have a WCF service that I call using jQuery. I'm concerned about users making unauthorized calls to the service. What would be the best way to secure my service?
If this is a browser app and you're worried about security, presumably you already have some sort of authentication mechanism (cookies, sessions, something). All these are accessible from WCF services (I'm assuming you're using webHttpBinding or basicHttpBinding?) via the WebOperationContext.Current.IncomingRequest property. You can check/validate a cookie (or whatever else) from your service code, or write a cross-cutting MessageInspector to apply the check to all methods on your service behavior. WCF services also can be integrated with traditional ASP.NET authentication (forms, etc) if you host the service with the compatibility flag. The browser app logs in normally, and your service can consume the credential/token/whatever.
you can use a certificate to sign the WCF messages (it's all in the WCF Settings) on both sides (client and server)
Here is some detailed explanation:
Message Security