I am very new to using WCF services. Right now I have a WCF service that I call using jQuery. I'm concerned about users making unauthorized calls to the service. What would be the best way to secure my service?
If this is a browser app and you're worried about security, presumably you already have some sort of authentication mechanism (cookies, sessions, something). All these are accessible from WCF services (I'm assuming you're using webHttpBinding or basicHttpBinding?) via the WebOperationContext.Current.IncomingRequest property. You can check/validate a cookie (or whatever else) from your service code, or write a cross-cutting MessageInspector to apply the check to all methods on your service behavior. WCF services also can be integrated with traditional ASP.NET authentication (forms, etc) if you host the service with the compatibility flag. The browser app logs in normally, and your service can consume the credential/token/whatever.
you can use a certificate to sign the WCF messages (it's all in the WCF Settings) on both sides (client and server)
Here is some detailed explanation:
Message Security
Related
I have a silverlight web application and I am loading data to the client side using a wcf service. Should I secure the WCF service? Can anyone who's on the network call methods of the service?
Yeah they can see and access the service if they know the url.
And if they can see it, they only need to do a "Add Service reference" and they can see all methods available.
And since silverlight uses the basichttpbinding, it can work through firewalls (they typically allow http traffic).
You should secure it if it contains sensitive info.
By default you'll have security through obscurity, so if you're not broadcasting your WCF service's presence, it's not likely to be found or called. Additionally, it would be very hard to use it without having an appropriate client proxy configured. If you do not have the MEX endpoint set up, you are again pretty safe.
All that said though, you haven't really authorized the calls. It's theoretically possible to locate your WCF service and create a proxy to call it. So if you want to be safe, which I recommend, look into WCF authorization. It's fairly easy to set up, and you can use various options such as username-password, Windows accounts, or X.509 certificates. Each has its pros and cons.
This article goes into great detail, and there are others. http://msdn.microsoft.com/en-us/magazine/cc948343.aspx
Following questions assume we're hosting in WAS a WCF service side by side with Asp.Net:
"When hosting WCF side by side with Asp.Net - The WCF hosting
infrastructure intercepts WCF requests when the
PostAuthenticateRequest event is raised and does not return processing
to the ASP.NET HTTP pipeline. Modules that are coded to intercept
requests at later stages of the pipeline do not intercept WCF
requests."
"With side-by-side configuration, the WCF hosting infrastructure
intercepts WCF messages and routes them out of the HTTP pipeline"
a) Assuming WAS receives a request for a WCF service, will WCF's authentication mechanism ( Windows, MembershipProvider or Custom authentication ) be invoked when PostAuthenticateRequest event is raised, or will WCF authenticate a request only after it routes the request out of the HTTP pipeline? In other words, is WCF's authentication mechanism working outside of IIS's processing pipeline?
b) If WCF's authentication mechanism is working outside the IIS processing pipeline, then I assume FormsAuthenticationModule isn't involved with authenticating the WCF client ( assuming service is using forms authentication )?
c) Also, if WCF's authentication mechanism is working outside the IIS processing pipeline, then I assume IIS/WAS must be configured for anonymous authentication, even if service is authenticationg clients using windows authentication?
d) Would answers to my above question be any different if WCF service was hosted by IIS7 ( besides the fact that service must only use endpoints that communicate over HTTP protocol )?
Thank you
I would recommend implementing a technical spike project.
At the core you can always implement a codeaccessattribute to secure your operationcontracts.
You can start by applying PrincipalPermission (built in) where you set IPrincipal on Thread.CurrentPrincipal (constructor of your wcf service)
when hosted in IIS you can set HttpContext.Current.User however HttpContext will be null in your case. To use PrincipalPermission you will need to have your own ability to create/implement IPrincipal.
I can only answer part D and part of B, but this may be enough to address the problem you are trying to solve: if you host the WCF service inside an ASP.Net application, then Forms Authentication is supported IF you enable ASP.Net compatibility in the WCF service. We use this method extensively with our Silverlight applets.
This is a two-step process:
1) Decorate your WCF service implementing class with the AspNetCompatibilityRequirements attribute (vb.net code below):
<AspNetCompatibilityRequirements(RequirementsMode:=AspNetCompatibilityRequirementsMode.Allowed)> _
2) Add the following entry to your <system.servicemodel> section in web.config:
<serviceHostingEnvironment aspNetCompatibilityEnabled="true" />
I want to port an existing ASP.NET Web Service to WCF so the resulting Web Service (1) is RESTful, (2) uses JSON as its request/response format, (3) has a custom authentication mechanism.
After a lot of googling, random coding, and wanting to hit my head against the wall, I found that...
A webHttpBinding has to be used to make the Web Service RESTful. But...
webHttpBinding does not support HTTPS hosts.
webHttpBinding does not support UserName authentication.
webHttpBinding does not even support message security.
An endpoint behavior with <enableWebScript/> has to be used to support ASP.NET AJAX. But...
What is "ASP.NET" AJAX?
What if I want to consume the Web Service using "regular" AJAX?
And, most importantly...
Can WCF do what I want to do in first place?
If not, what other platforms could I use?
I've written WCF service that does both SOAP and REST with XML and JSON, and custom auth. I've pushed the custom authentication into HTTP module, which does basic auth over https. See Custom HTTP Basic Authentication for ASP.NET Web Services on .NET 3.5/VS 2008 and WCF POX, JSON and SOAP Coexist.
In the setup you describe, the web servier (i.e. IIS) will be responsible for encryption (HTTPS) and authentication (e.g. basic authentiction). IIS can be extended with a custom authentication mechanism (just google for "IIS module handler").
It's a bit strange that it has to be delegated to IIS and is not part of WCF. But it's no problem at all.
I have an application that uses Silverlight and ASP.NET as a front-end. It retrieves data from the server by calling some RESTful WCF services that are hosted there. I'd like to prevent the curious user from opening up a new browser window and calling the web service themselves. Is there a way to restrict access to the web services to a specific application?
Thanks!
You can use HTTPS to secure the endpoint and require authentication. You can put an obnoxiously long secret key embedded in the code. Unfortunately, System.Security.Cryptography is not in the SL install, so no encrypt on server/decrypt on client capabilities. And there's no reason the user couldn't just use something like reflector to read the code anyway.
SL can be made "mostly securish", but definitely not secure.
Here's the guide of the Patterns & Practices team for WCF Security. There's a lot to be found there.
http://www.codeplex.com/WCFSecurityGuide
If you're truly interested in securing your web services, you should think about migrating from RESTful services to SOAP Based Web Services and implementing the WS-Security standard for Message based Encryption.
You can then secure your services so only clients that have the proper security information (be in username/password or X.509 certs) can call your web services.
Update
As you can see...I've removed X.509 as an option. I blanked for a moment and forgot the WS-Security limitations in Silverlight. The good news is that you can implement username tokens based on the WS-Security standard in Silverlight:
Implementing Username Password & WS-Security with Silverlight
No there's not.
I need help on securing my WCF Service so that only authorized users can make a call to service methods.
The WCF Service is configured with wsHttpBinding and is hosted under Windows Service.
The client application is an asp.net website. Also, the users making call to WCF service are already authorized by client application, so just need to make sure that they are authorized while handling the request on service side.
Please guide me on what are the different ways (along with their pros and cons, if possible) to achive above.
Thank you!
If you are using the ASP.NET role provider infrastructure, you could pass the user on and leverage the same provider via WCF. This would be nice as it would maintain logic across the process boundaries.
If you are using Windows groups for ASP.NET, the same would apply, just re-authorize.
Certificates are an option, but then you have to manage them.
Lastly you could issue an access token and validate it on the WCF side. This could be done by extending WCF(probably at the contract level). You would then have to manage the token via some other service to enforce expiration etc.