I'm looking into creating a WCF service that will connect to our Product Management system to provide/update product licensing information. It will be a self hosting service wrapped up in an NT service and I'm looking at ways to mutually authenticate both the service and the client. Clients will be desktop applications running on the same machine as the service so I'm thought netTCP binding with Transport security would be sufficient but having looked at the documentation I think I can only achieve Windows credential security which probably isn't going to be good enough for me. Principally I'm trying to prevent spoof applications invoking operations on our service and also trying to prevent spoof services masquerading as our own.
Can anyone give me any suggestions? I'm a little concerned that I might have to look into certificates :S
Cheers,
Chris.
You can use certificates (service / client) to do mutual authN.
See http://msdn.microsoft.com/en-us/library/ms733102.aspx
Related
I'm new to WCF and have very limited knowledge in WCF security. I have written an WCF service which should be exposed in internet for my clients. I need to Authenticate the clients to use my services. Clients should invoke my service with user id and password. I will do SSL certification as well but apart form that I need some authentication mechanism. Please advice me what binding,security mode, clientCredentialType and related configurations I should do for the security.
You can make use of WSHttpBinding for your services. The binding supports HTTPS transport and WS-Security. Along with this, you can also set security configuration at transport and message level. You can either specify that at ServiceContract or at OperationContract levels.
Here are few MSDN links to get you started:
Bindings and Security
WCF Security Fundamentals
Authentication with Transport Security
Please note that these may be very basic in comparison to your requirements.
It depends on what technology your clients use. If they are all .NET then you have free choice. If you have Java or other clients accessing your services you may have less headaches with BasicHttpBinding, which is completely adequate if you only need username authentication and SSL. The link #danish provided (http://msdn.microsoft.com/en-us/library/ff649647.aspx) shows you how to do that.
I need to create a web service to collect data from my customer’s applications.
Those applications are programmed with different technologies and they all have one thing in common: they can consume plain SOAP Web Service.
I already have a WCF Service that could be exposed but as it was built for internal purpose only, I never had to secure it.
I did read a lot of articles on how to secure WCF service and how to consume it from a Microsoft client application. However, I'm really concern about the customer’s non-microsoft applications abilities to implement a standard WCF Service security. I must keep in mind that some of them might be stateless and unable to hold on to a session or anything that might be required by a secure WCF Service.
So here are the options I have right now.
1) Add username/password parameters to each WCF function and perform a credential check on every call. (I do have an SSL certificate... is it enough to consider this option as secured?)
2) Drop my WCF Service and create a plain SOAP Web Service with username/password parameters as mentioned in option #1 to be closer to my customer’s applications capabilities.
3) Implement standard WCF security and let the customers find a way to deal with it on their own. (The real question here: is WCF security simple enough to be implemented by any SOAP client?)
4) Change my name and move to Jamaica with my customer’s money before they find out that I’m a Web Service security noob.
5) Something else…
So what is the my best option here?
Yes, I can offer the option we use. It sounds like you want basicHttpBinding.
We have a WCF web service using basicHttpBinding and set IIS to use basic http authentication.
Therefore non-.NET clients can consume it easily (basicHttpBinding) and we can give them an Active Directory domain account that allows them access via IIS. No usernames / passwords to constantly send back and forth through the web service and it runs over HTTPS for security.
It's currently being consumed by PHP, Java and .NET clients. Yes, .NET clients can still import this as a service reference which makes thing like trapping FaultExceptions easier.
No solution is perfect for everyone but works great for our needs.
Yes, but certain configurations favour certain vendors. See the WCF Express Interop Bindings project on CodePlex:
http://wcf.codeplex.com/wikipage?title=WCF%20Express%20Interop%20Bindings
They offer settings for interop with:
Oracle WebLogic
Oracle Metro
IBM WebSphere
Apache Axis2
The Oracle Metro (previously known as SUN WSIT) stack is by far the most advanced as regards the WS-*/Oasis standards.
I've very new at WCF, and I'm creating a prototype application to learn, which might turn into a commercial application. I understand the very basics of WCF, and I have my application WCF functional, at a basic level.
What are some tips experienced WCF users can give regarding pitfalls and steps I can take to make the app rock solid, at least regarding the WCF layer?
Couple of points to ponder:
make sure to implement rock-solid exception handling on your server side - implement the IErrorHandler interface on each service, define proper fault contracts
make sure to enable WCF tracing on the server side - those message logs are eminently useful when diagnosing problems!
make sure to think about versioning - make sure to use namespaces for both your service contracts and data contracts that will allow you to distinguish later version from the older ones (by means of the contract namespace)
think hard about your production hosting - IIS seems like a logical choice, but it's typically plagued by too many issues and problems that you don't have if you self-host. It's a bit more work yourself to create all those hosts - but it pays off with increased stability and better control on your side
Use security for your web service, particularly those bindings that support digital certificates.
Ensure your web service is interoperable with other web service frameworks, so that potential clients do not necessary need to be created using .NET and WCF.
Allow for endpoints (methods) to be retired in case they become obsolete. This allows clients of your web service to be informed of these retired endpoints so that they can be updated accordingly. Your retired endpoint could inform callers of what endpoint they should be using instead.
i am new to WCF but i learn this recently and thought to share with you.
if you are hosting your services on IIS then its best practice to make this a new account that you can control the direct privileges too, since NT AUTHORITY\NETWORK SERVICE
uses the default and can have a bit higher level of permissions. You can change this under the Application Pool in IIS that your website hosting WCF is running as.
my2cents
I have several WCF wsHttp services using Transport security over an SSL connection. Presently I use "Windows" for the clientCredentialType and all has worked fine with exception of one scenario where my e-commerce site (its own SSL) had a problem communicating with the other server via SSL and I had to create a separate service and use Basic for the clientCredentialType.
I don't want anonymous connections so I have Basic and Windows Authentication enabled in IIS 7.5 on the WCF service site.
Is one better than the other regarding security? Windows vs. Basic? If not then it seems like I should just change everything to Basic and then I can eliminate my duplicated service configuration for the e-commerce issue.
I don't use ActiveDirectory and I just wanted to minimize all risk of someone sniffing the calls. Anyone have an opinion on the clientCredentialType setting I should use?
Thank you.
I ended up going with Basic per some other articles I read on this topic.
I'm trying to build a WCF self hosted service (eventually in a windows service) that will receive binary and text base messages from remote thick clients that have no accounts on my hosted machine. I'm trying to figure out both my binding options and security options, and in reading the patterns and practices guides, my head has completely spun around at least once.
The clients would be authenticated against a custom SQL based method, so I'd like to be able to pass that info in the initial login request and then set an authorization token of some kind. (This part of the problem is probably outside the scope of the question, but I included it in case it might make a difference.)
Any thoughts at all would be very helpfull.
Ryan
The choice of binding and security option depends on the usage of your WCF service. Is it just for your rich client or are you planning to expose it to the world as API? If it's just for your rich app, does it run on LAN or over untrusted, unreliable Internet?
With WCF you can configure the service to expose multiple endpoints with different bindings, for example both SOAP and REST. In general, I'd start with something stateless and lightweight like basicHttpBinding and webHttpBinding, passing user and password on every request. Once you have that up and running you can optimize cache authentication, provide binary endpoint etc.. only if it actually helps.
There's no need to have just one binding. Having said that if it's self hosted you're "on your own" here. I've never looked at what's involved.