I'm building a system where several clients are connected to a central server by WCF using duplex MSMQ (updates are sent to the server, messages are periodically pushed out to several clients).
How do I best secure this scenario? The nature of duplex WCF effectively makes each client a server. Does that mean to secure each channel every client needs to shell out $1200 for a verisign cert?
Because MSMQ binding uses regular MSMQ queues, you can implement security using the standard MSMQ queue security model. You need to make sure you set security mode to 'Transport', and then allow or restrict access to the queue as appropriate.
When you create a queue you can set permissions which govern who can send, receive, or remove from the queue using active directory or Windows accounts. The only resource I can find with a few minutes googling is MSMQ for .NET Developers - describes a little about setting permissions.
Have a read of Securing Messages with Transport Security and the examples in the NetMsmqBinding documentation.
So you should either run your services as the same user, or ensure all the users are in a single AD group, etc and then grant queue permissions (send permission?) to that user / group only.
Related
I want develop a project in microservice structure.
I have to use php/laravel and nodejs/nestjs
What is the best connection method between my microservices. I read about RabbitMQ and NATS messaging
and also GRPC
Which option is more suitable for microservice?
and why?
Thanks in advance
The technologies address different needs.
gRPC is a mechanism by which a client invokes methods on remote (although they needn't be) server. The client is tightly-coupled (often through load-balancers) with servers that implement the methods.
E.g. I (client) call Starbucks (service) and order (method) a coffee.
gRPC is an alternative to REST, GraphQL, and other mechanisms used to connect clients with servers though some form of API.
Message brokers (e g NATS, Rabbit) provide a higher-level abstraction in which a client sends messages to an intermediate service called a broker (this could be done using gRPC) and the broker may queue messages and either ship them directly to services (push) or wait for a service to check its subscription (pull).
E.g. I (client) post a classified ad on some site (broker). Multiple people may see my ad (subscriber) and offer to buy (method) the items from me. Some software robot may subscribe too and contact me offering to transport or insure the things I'm selling. Someone else may be monitoring sales of widgets on the site in order to determine whether there's a market for opening a store to sell these widgets etc.
With the broker, the client may never know which servers implement the functionality (and vice versa). This is a loosely-coupled mechanism in which services may be added and removed independently of the client.
If you need a synchronous response on 1:1 service call use gRPC
If you don't care which service will consume messages (asynchronous & no tight coupling between services) use RabbitMQ
If you need distributed system to keep events history and reuse later on another service use Kafka
Basically, it comes down to whether you want an Async communication between services or not.
That is when you can decide between real-time communication services (Sync) such as gRPC or RPC & Message Queueing ones (Async) such as RabbitMQ, Kafka or Amazon SQS.
Here are also some good answers by other users:
https://dev.to/hypedvibe_7/what-is-the-purpose-of-using-grpc-and-rabbitmq-in-microservices-c4i#comment-1d43
https://stackoverflow.com/a/63420930/9403963
Is it possible a service to call client after 4 -5 days when client is offline? e.g.
1. The client request some reports through service.
2. Service updates database with client request.
3. Offline work is done on the request
4. Report is uploaded to the database.
Can we service call its client and send report as soon as report is uploaded to database?
Can WCF duplex service be used to call client when client is offline?
Yes. WCF can be configured to use MSMQ as a transport. MSMQ is the only WCF transport that allows for all three:
disconnected scenarios
resume when computer becomes online and
optionally provide a level of guaranteed delivery
MSDN:
If you need to support disconnected queuing, use netMsmqBinding. Queuing is provided by using Microsoft Message Queuing (MSMQ) as a transport, which enables support for disconnected operations, failure isolation, and load leveling. more...
Essentially you invoke a WCF method (send a MSMQ message) and it will be delivered when the computer comes on-line again. Assuming you have set the appropriate expiration options.
I am designing a WCF service. Is is possible to define a service that can handle encrypted messages from some of the clients (on untrusted channel), but also not encrypted messages (for the clients that are on trusted channel) ?
Yes it should be generally possible. There can be some other requirements which would break this possibility but with simple configuration you can use single service with two endpoints - one exposing unencrypted communication and one exposing encrypted communication. You just have to make sure that each client set can access only selected endpoint - that is usually not related to WCF but to computer or network configuration.
If my Wcf Service and Web Application, both are in same server and if i want to access my web app over internet means which WCF security i have to use and why ?
Please advise me :)
Thanks
Kishore
It depends on binding and the context usage and not on transactions which is a different topic.
The intranet bindings (NetTcpBinding, NetNamedPipeBinding, and NetMsmqBinding) all
default to Transport security. Thus, no special programming is required on behalf of
the service or client developer. The reason is that on the intranet calls are typically
point-to-point, and Transport security yields the best performance. However, the intranet
bindings can also be configured for the None transfer mode; that is, they can be
used on the same transport protocol, only without security. The NetNamedPipeBinding
supports only None and Transport security—there is no sense in using Message security
over IPC, since with IPC there is always exactly one hop from the client to the
service. Also note that only the NetMsmqBinding supports the Both mode.
The Internet bindings all default to Message security, to enable them to be used over
nonsecure transports (that is, HTTP) and to accommodate multiple hops and
intermediaries.
I am looking at various options for a WCF based publish subscribe framework. Say I have one WCF web service that will be the publisher and 1000 clients registered as subscriber. For some published messages all clients will be interested but at the same time I wish the ability to notify a single client with a specific message. On receiving notification the client will call other web service methods on the web service.
Is NServiceBus suitable for this kind of scenario ?
If I use MSMQ for transport does it mean that every PC where the client is installed requires a queue to be created ?
Some of the challenges include how you want the publisher to behave when a given subscribing client is down - do you want that message to be available when the subscriber comes back up? If so, then some kind of durable messaging is needed between them - like MSMQ.
Your question about notifying a single client, is that as a result of a request sent by that client? If so, then standard NServiceBus calls in the form of Bus.Reply will do it for you. When using WCF, if the response is to be asynchronous you'll need to use callback contracts.
NServiceBus can do all the things you described, and has the ability to automatically install MSMQ and create queues so that greatly simplifies client-side deployments.
You also have the ability with NServiceBus to expose messages over WCF so you can support non-NServiceBus clients if you need to as well. It also has its own http gateway and XSD schemas which can allow clients on non-Windows platforms to interoperate even without using WCF.
Hope that answers your questions.