Guys, I'm looking for some detailed guidance about WCF Security. I've read Juval Lowy's book and WCF Security Guide, but I'm still looking for verbose manual.
I'm especially interested how some WCF security options influence on SOAP messages (cause clients of my services aren't .NET applications).
Could you point to any similar books/blogs/articles?
You have already read two main sources. You can also check official WCF Service Interoperability site. It contains some white papers which are not related only to security. But if you really want to dive deep into WCF interoperability, learn to use Fiddler, WCF tracing and message logging and study WS-Security specifications.
I also recommend Yaron Naveh's blog.
Related
What I am looking for is a set of article that can help me understand the basics, so I can be sure of what I am doing.
Methods regarding secure authentification are the most welcome.
Thanks.
see this article about Securing WCF Services with Authentication Service.
also this one on Certificate based Authentication.
take a look at Programming WCF Security in msdn library
at my workplace we are about to start a big project. My boss (a programmer, this is a startup) wishes to use ASMX webservices for this purpose. I do not want to start off a new program using deprecated technology and would like to show him this. I dislike WCF at this moment because it has such an extreme learning curve, but I'd rather learn it than use an unsupported technology.
The problem I'm having is that I can not find any practical list of cons and downfalls when compared to WCF so that I can convince my boss to not use them. And saying "it's not as powerful" is not an adequate explanation. What exactly can it not do that we may need it to do for a webservice that is not meant to be shared externally? (as in, we don't support third-parties using our webservices unless they are using one of our clients. )
In short:
ASMX is
limited to only HTTP as its transport
limited to only being hosted in IIS (no other alternative)
limited to very simple security
limited to SOAP 1.1
WCF is
more flexible in transports: you can use HTTP, NetTCP, MSMQ, many more
can be hosted in IIS, WAS, or self-hosted in a Windows Service, in a console app, in a Winforms or WPF app
has much more security options
supports a plethora of WS-* standards
can interoperate with SOAP 1.1 and SOAP 1.2
In short: WCF is ASMX done right - much more flexible, much more powerful, much more in every respect.
Here's another quite useful comparison of WCF and ASMX: Comparing ASMX and WCF
and last but not least, WCF is also better in terms of performance, as this quite extensive MSDN article quite nicely shows (including performance numbers and graphs): A Performance Comparison of Windows Communication Foundation (WCF) with Existing Distributed Communication Technologies
I've never understood why some people think that WCF is difficult to learn. Try this: create a new WCF Service Project in Visual Studio. Now look at the code. Compare that with the same code you get from creating a new ASMX project. It's not very different.
I have three words for you: WCF. WCF. WCF.
Here are another three about why you should choose WCF: Power. Versatility. Configurability.
ASMX is great if you want to get a quick and dirty web service up and running, although to be honest it only takes maybe a few minutes more to do a WCF one.
The WS-* are really hard to implement with asmx: transactions, reliable messaging, security... etc etc.
And later the bindings: you can change the communication just by configuration, the asmx is just http.
WF exposing services and AppFabric works over wcf.
I would not have doubts, today wcf is the best option for starting a project that needs services.
It's been a few years since I've done web services. I remember it to be fairly simply to create and consume one. In my current position, I work in a large organization and we use a lot of DB2 stored procedures the mainframe guy write for us to get at HR data.
I'm now starting on a new HR project and rather than having the same ol' data access code that is in most of our other HR apps, I suggested we write a code library DLL that did all this work and just use this DLL in our HR apps from here on out. Once I suggested this, my manager thinks this is a great idea, but he wants it done in web services.
My manager has now tasked me with researching options for securing these web services would be. He wants me to tell him if we should use WCF with this and if the Java developers in the organization will be able to use the web services I create.
I have done quite a few web searches and haven't found information that specifically answers these questions. Is there anyone here with experience in doing this and could answer the qeustions regarding the security, WCF (which I know little about), and interoperability with other platforms (Java)?
Thanks!
WCF is the current approach for building service end points in .NET apps. It's flexible in supporting different transport channels and protocols. You can certainly expose SOAP Web Services from WCF and use them from Java clients or anything else that supports XML.
The old way of doing that in .NET, simple ASMX Web services is deprecated in favor of WCF. It doesn't have all the bells and whistles of WCF but it's very simple to use. Personally, I still like it and use it in very simple Web services where WCF is an overkill.
As Mehrdad mentions (and I totally agree), WCF is the current offering my Microsoft for most cases.
ASMX is great and simple - but it's very limited in many ways:
you can only host your web services in IIS
you can only reach your web services over HTTP
security is very limited
WCF remedies this - and offer much more beyond that. You can host your WCF services in IIS - or self-host in a console app or Win NT Service, as need be. You can connect your WCF services using HTTP, TCP/IP, MSMQ, Peer-to-peer protocols, named pipes for on-machine communications and much more.
I'd definitely recommend you check out WCF and give it a spin. It's a tad more complex than ASMX, but it also offer just sooo much more capabilities and choices!
As for resoures: there's the MSDN WCF Developer Center which has everything from beginner's tutorials to articles and sample code.
Also, I would recommend you have a look at the Pluralsight screen casts on WCF - it's an excellent series going from "Creating your first WCF service" and "Creating your first WCF client" all the way to rather advanced topics. Aaron Skonnard very nicely explains everything in 10-15 minutes screencasts - highly recommended!
I'm developing a new set of web services at my company.
My manager asked me to provide a greater level of security for this, as the web services will handle sensitive informations.
I've searched the net for resources about how to secure an web service and the two runner ups are WSE3.0 and WCF.
But I have no idea which one is the best option to choose from.
My requirement stipulate that some of the web service must be called by non-.NET environment, so how to proceed?
Which one is the best in such scenario?
If you have the luxury of doing new development, DEFINITELY go with WCF!
It offers much more functionality, much more options for security, bindings, and way more extension points should you need to tweak your system.
WCF also support way more industry-standard interoperability scenarios than anything else before, so you should be more than covered in this area, too.
Here are a few articles specifically on WCF security:
Fundamentals of WCF Security
Programming WCF Security
WCF Security Guidance
No question here - it's a slam dunk - go with WCF !!
Marc
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
We don’t allow questions seeking recommendations for books, tools, software libraries, and more. You can edit the question so it can be answered with facts and citations.
Closed 6 years ago.
Improve this question
Can anyone define WCF? What is the purpose of WCF?
What are some good reading materials to learn about WCF?
WCF (Windows Communication Foundation) is the name that Microsoft uses for a Framework that can Communicate between multiple servers independently of their Operating System or Technology.
You can use this framework to send and receive messages and attachments (files, images, etc) to and from any computer in the world.
From a developer point of view, it's the new version of WSE (Web Services Enhancements) with MTOM (SOAP Message Transmission Optimization Mechanism) that was itself an updated version of the simple Web Service (.ASMX).
WCF is called a Service Framework and not a Web Service because it no longer depends on the IIS (Internet Information Server) to be hosted. Now you can host a WCF application using TCP/IP, host it as a Windows Service or even host it as an application - and you can still host it in IIS as well.
It uses the SOAP protocol and others (this is configurable in just one file), and supports HTTP and HTTPS as well, for messaging and attachments. You now have plenty of new security options with it... and it's the "top-of-the-line solution" to use to send/receive messages from anywhere to anything.
It is heavily used in the AJAX world, because it can send messages in the JSON format. Because of this, jQuery and other JavaScript frameworks work lovely with it.
For Reading material, I recommend buying a good book, because it's a good way to do self-learning and have it for reference at a later time. I personally bought Wrox Professional WCF, and I'm loving it.
WCF stands for Windows Communication Foundation.
MSDN Link
Wikipedia Link
MSDN is a little dry, but Wikipedia expresses it well:
WCF is the part of the .NET Framework dedicated to communications.
In my case, this has meant a richer alternative to plain old Web Services, with a choice between communication layers.
Edit
15 Seconds also has a great primer on WCF:
WCF is a unified programming model that combines the best of breed features from XML Web Services, .NET Remoting, MSMQ, and COM+ into an integrated platform that is completely based on a set of open industry standards.
WCF stands for "Windows Communication Foundation". The ultra-simplified version of it is that it is a collection of tools and libraries that present the developer with a unified view of communications. Everything in WCF revolves around three core concepts of Endpoints, Channels, and Messages. An endpoint is a way in or out of your code. A channel is the means by which a Message travels between those endpoints. Using this paradigm, you can use UDP, TCP, HTTP, Peer-to-Peer, MSMQ - all using the same 3 core concepts.
As for learning resources, call me old fashioned but I like to curl up with a good book when I'm learning about a new technology. Once I've mastered the basics I like using references online to enhance my base... but for intros, IMHO, nothing beats a good book.
You cannot find a better book on WCF than Juval Lowy's "Programming WCF Services". "Essential Windows Communication Foundation" is also a decent book but I still think you'd be better served by Juval's book.
"WCF" stands for Windows Communication Framework. WCF is the replacement for WSE (now obsolete), ASMX (the old ASP.NET Web Services), and to some extent, is also a replacement for .NET Remoting.
WCF covers all of the web services scenarios covered by ASMX and WSE, and then adds support for many more, including binary communication over TCP/IP, communication over message queues and named pipes, and many more.
A rich extensibility model permits both Microsoft, third party developers, and you, to extend WCF for future requirements. See the Cloud Computing article, and the Foundations: Working with the Service Bus articles in the April 2009 issue of MSDN Magazine to see how WCF has been extended to some very modern scenarios.
All new web services development should be in WCF, if at all possible.
In simple word its technology that allows your service to communicate with application or service using various protocols/modes
WCF separates the service from the protocol in much the same way that XHTML and CSS separate the content from the presentation.