How to implement Two way mutual broker Authentication at transport level? I need a suitable example with certificates created by makecert.exe.
Check this article. It should guide you step by step. The only thing I don't like in this article is that it uses Web Site. Web site is probably the worst choice for hosting WCF service in IIS. I would choose WCF Service application. There are additional resources at the end which will point you to articles about creating and installing temporary certificates.
Related
I am a newbie to WCF so trying to figure out how to implement 2way ssl certficate authentication for WCF service i need to host. The consumer of the service would provide us with there certificate and we are supposed to provide them with ours.
The part i don't understand and would appreciate help is how to do we go about it in the way of either
1. articles pointing out the steps
or
2. Code samples.
Thanks.
The following web pages provide a fairly comprehensive overview of a Windows Communication Foundation (WCF) service and client secured using mutual certificate authentication. The code and configuration in the articles were helpful when our team first tackled WCF services with mutual x509 certificate authentication.
http://msdn.microsoft.com/en-us/library/ms733102(v=vs.110).aspx
http://www.codeproject.com/Articles/348595/Use-Mutual-SSL-Authentication-in-WCF
Regards,
I need to create a web service to collect data from my customer’s applications.
Those applications are programmed with different technologies and they all have one thing in common: they can consume plain SOAP Web Service.
I already have a WCF Service that could be exposed but as it was built for internal purpose only, I never had to secure it.
I did read a lot of articles on how to secure WCF service and how to consume it from a Microsoft client application. However, I'm really concern about the customer’s non-microsoft applications abilities to implement a standard WCF Service security. I must keep in mind that some of them might be stateless and unable to hold on to a session or anything that might be required by a secure WCF Service.
So here are the options I have right now.
1) Add username/password parameters to each WCF function and perform a credential check on every call. (I do have an SSL certificate... is it enough to consider this option as secured?)
2) Drop my WCF Service and create a plain SOAP Web Service with username/password parameters as mentioned in option #1 to be closer to my customer’s applications capabilities.
3) Implement standard WCF security and let the customers find a way to deal with it on their own. (The real question here: is WCF security simple enough to be implemented by any SOAP client?)
4) Change my name and move to Jamaica with my customer’s money before they find out that I’m a Web Service security noob.
5) Something else…
So what is the my best option here?
Yes, I can offer the option we use. It sounds like you want basicHttpBinding.
We have a WCF web service using basicHttpBinding and set IIS to use basic http authentication.
Therefore non-.NET clients can consume it easily (basicHttpBinding) and we can give them an Active Directory domain account that allows them access via IIS. No usernames / passwords to constantly send back and forth through the web service and it runs over HTTPS for security.
It's currently being consumed by PHP, Java and .NET clients. Yes, .NET clients can still import this as a service reference which makes thing like trapping FaultExceptions easier.
No solution is perfect for everyone but works great for our needs.
Yes, but certain configurations favour certain vendors. See the WCF Express Interop Bindings project on CodePlex:
http://wcf.codeplex.com/wikipage?title=WCF%20Express%20Interop%20Bindings
They offer settings for interop with:
Oracle WebLogic
Oracle Metro
IBM WebSphere
Apache Axis2
The Oracle Metro (previously known as SUN WSIT) stack is by far the most advanced as regards the WS-*/Oasis standards.
I'm struggling with securing IIS hosted svc WCF service hosted in Azure using WIF and ACS.
I found lot of how-tos here:
http://msdn.microsoft.com/en-us/library/gg185939.aspx
I'm particularly interested in those describing how create secure WCF service and authenticate using certificate or username/password.
Now the ACS definition part is pretty clear. But when it comes to securing the service itself I struggle. I'm using WebRole and SVC file to expose the service and the configuration in how-to is done in code and I guess it won't work with azure webrole as well.
Any help on how to get this combination working would be much appreciated!
Just a small clarification: if you rely on ACS then the authentication (in whatever form: certs / username/password, etc) will happen in ACS, not in your app. Your WCF service will simply expect a token issued by ACS and will remain largely ignorant of the type of authentication used.
Also, the actual implementation depends on whether you are creating a SOAP service or a REST one. Typically you have different token formats and protocols involved (e.g. SAML vs SWT, etc.)
Besides the how-tos you mentioned, take a look at the samples in this guide. Especially these:
http://msdn.microsoft.com/en-us/library/hh446528.aspx
http://msdn.microsoft.com/en-us/library/hh446531.aspx
Hope it helps
Most probably you need to use a HttpModule to secure your service. The primary responsibility of this module is to read the Authorization header and create the claims.
Also make sure in the web.config tag should contain
You can get the code for HttpModule from the below sample.
http://acs.codeplex.com/wikipage?title=ACS%20Windows%20Phone%20Sample
Look at the ProtectedResourceModule.cs
Joy
I am implementing wcf web service hosting in IIS with basicHttpBinding those should be accesseble by .net 2.0 client like accessing ASMX services.
Any body can help with details & with few example/sample code.
thanks
nRk
WCF is more secure than ASMX and insists the basic fact that it never allows you to send plain-text credentials without encrypting those.
You need to ask yourself a few qusetions here:
how do I protect my messages going from the client to the server, so that the username/password is not sent as plain text?
how do I check the validity of the username/password once the message arrives at the server?
For the first point, you can do a number of things:
secure the transport layer, e.g. use HTTPS (with SSL) to protect the entire pipe going from the client to the server. In that case, you don't have to do much else - the whole communication channel is protected
secure the message (at least the username/password part) using encryption. In that case, you need to have at least a service certificate on the server, so that the calling client has a shared secret to encrypt the message - or you need to install a certificate on the client (usually not a good idea if you want everyone to call your service)
For the authentication part, you need to decide on:
using the ASP.NET membership subsystem which already has a user table against which you can validate the credentials provided
or roll your own from scratch - not recommended unless you really really have to and have a very specific need
WCF security is not an easy topic - you can find helpful information and scenarios on how to do certain things here:
WCF Security by the MIcrosoft Patterns & Practice group
Declarative WCF Security by Juval Lowy
With just the few pieces of information you provided, one cannot really give a "do this and that" kind of answer. You need to read up on WCF security and decide on what scenario you want to implement. I'm sure folks here can help you with more specific questions about how to achieve certain things in WCF security, if your questions are more focused on a particular problem / issue.
I have an application that uses Silverlight and ASP.NET as a front-end. It retrieves data from the server by calling some RESTful WCF services that are hosted there. I'd like to prevent the curious user from opening up a new browser window and calling the web service themselves. Is there a way to restrict access to the web services to a specific application?
Thanks!
You can use HTTPS to secure the endpoint and require authentication. You can put an obnoxiously long secret key embedded in the code. Unfortunately, System.Security.Cryptography is not in the SL install, so no encrypt on server/decrypt on client capabilities. And there's no reason the user couldn't just use something like reflector to read the code anyway.
SL can be made "mostly securish", but definitely not secure.
Here's the guide of the Patterns & Practices team for WCF Security. There's a lot to be found there.
http://www.codeplex.com/WCFSecurityGuide
If you're truly interested in securing your web services, you should think about migrating from RESTful services to SOAP Based Web Services and implementing the WS-Security standard for Message based Encryption.
You can then secure your services so only clients that have the proper security information (be in username/password or X.509 certs) can call your web services.
Update
As you can see...I've removed X.509 as an option. I blanked for a moment and forgot the WS-Security limitations in Silverlight. The good news is that you can implement username tokens based on the WS-Security standard in Silverlight:
Implementing Username Password & WS-Security with Silverlight
No there's not.