I'm creating a simple web service using WCF. The message needs to be encrypted and the user need to be authenticated through an asp.net provider.
What binding should I use for this? WsHttpBinding or WebHttpBinding?
Can anybody point me to a good example using the asp.net provider and self signed certificates with wcf.
Thanks
You say that the message needs to be encrypted, but don't specify whether you have a specific requirement for message-level encryption or if transport encryption might be enough.
If you transport-level encryption is enough, then BasicHttpBinding + SSL would work.
Otherwise, you'd use WSHttpBinding and configure message-level encryption. Of course, the decision might also be tied to the capabilities of any clients you want to consume the service.
You also mention WebHttpBinding, but that's used only for REST-style services. Is your service REST style? If so, then your only option would be SSL and using transport-level authentication, I think.
Related
I'm new to WCF and have very limited knowledge in WCF security. I have written an WCF service which should be exposed in internet for my clients. I need to Authenticate the clients to use my services. Clients should invoke my service with user id and password. I will do SSL certification as well but apart form that I need some authentication mechanism. Please advice me what binding,security mode, clientCredentialType and related configurations I should do for the security.
You can make use of WSHttpBinding for your services. The binding supports HTTPS transport and WS-Security. Along with this, you can also set security configuration at transport and message level. You can either specify that at ServiceContract or at OperationContract levels.
Here are few MSDN links to get you started:
Bindings and Security
WCF Security Fundamentals
Authentication with Transport Security
Please note that these may be very basic in comparison to your requirements.
It depends on what technology your clients use. If they are all .NET then you have free choice. If you have Java or other clients accessing your services you may have less headaches with BasicHttpBinding, which is completely adequate if you only need username authentication and SSL. The link #danish provided (http://msdn.microsoft.com/en-us/library/ff649647.aspx) shows you how to do that.
I have a WCF service hosted in IIS. The service is mandated to be basicHttpBinding. There is IBM DataPower in front of the WCF service that exposes it to outside world.
I am writing a WCF client app (inheriting from ClientBase) that has to encrypt the message body using a pre-shared public key and DataPower will decrypt it and forward the message to the hosting server. As for responses, DataPower will encrypt it and the client should be able to decrypt the responses received. One way to achieve this (that I could think of) is using IClientMessageInspector and use the BeforeSendRequest() to encrypt AfterReceiveReply() to decrypt. Before going this route, I wanted to know what other options are available to achieve this?
Usually the pattern is to use SSL which is easy to work with in DataPower and WCF clients. I'm not sure how easy it is to configure message level encryption in DataPower. If you insist on message level encryption first check if DP dsupports the standard WS-Security approach, in which case configuring the WCF client is easy (basic http binding with security mode of message and client credential type of certificate or username, but of course depend if you want to configure client auth).
Yes datapower supports WS-Security standard and you can play around any part or whole of messages for encryption/decryption. The only thing you need to weight here is whether to use PKI or symmetric encryption/decryption technique while playing with message level security.
I'm new to WCF and IIS.
Suppose I set up a WCF service with wsHttpBinding and Message Security and Windows authentication. Does that mean I don't need to use https on my IIS server? Ie. Is the message secure or isn't it?
Let me know if there is any further information I can provide.
Yes, the message is secure as it will be encrypted and signed by WCF in case of Message security. But make sure you considered all disadvantages of massage security. The most significant are: 1. Poor interoperability. 2. Worse performance compared to transport security.
For more details please refer to this article Message and Transport Security
You will also find the scenarios where it is best to use message security.
start with transport and message security understanding. We will then see simple code samples of how to implement transport and message security using WsHTTP bindings. We will also see the differences between ‘BasicHttpBinding’ and ‘WsHttpBinding’ with the help of a simple code. WCF security is a huge topic by itself, but I am sure with this article you will get a quick start of how to go about WCF security
http://www.codeproject.com/Articles/36732/WCF-FAQ-Part-3-10-security-related-FAQ
I have the following criteria to help me pick a WCF Http binding. My services need to:
be deployed in an intranet support impersonation/delegation
be interoperable with clients using unknown technology
support transaction flow between client and servers
not use certificates if possible (discards "Transport" security mode)
We need to decide between basicHttpBinding and wsHttpBinding.
Here are a few notes and questions on the three points:
I believe wsHttpBinding with "Message" security mode and "Windows" clientCredentialType would allow me to perform delegation.
The security configuration selected in point 1. to implement delegation does seem to make interoperability complex to support, am I right? The WS-* standards (wsHttpBinding) are definitely interoperable, but combined with "Message" security and "Windows" credential, could any WS-* compatible client invoke my services?
I believe wsHttpBinding seems the way to go here to support transaction flow?
Using "Message" security without certificates seems simpler in our situation?
Thanks in advance
If you want to support transaction flow, you need to use the wsHttpBinding. basicHttpBinding is really just that, a basic XML web service. MS claims it supports the WS-I Basic Profile v1.1 but it looks more like v1.2 since you can use MTOM with that binding.
Both are highly interoperable: wsHttpBinding is an implementation of numerous WS-* standards; what it doesn't support are older SOAP-only clients. That includes anyone using a .NET 2.0 style web service reference, and many forms of Java-based SOAP proxy.
With security, you start to get more of the benefits of a wsHttpBinding showing up. The basicHttpBinding cannot do Windows credentials, though, as you noted, that will limit your interoperability. I suspect you will find it very difficult to authentication non-Windows clients using Windows credentials, but as you indicated, that's the only way to get impersonation to happen. For non-WCF clients running on Windows, you may have more luck, since the client could still get access to the logged-in user's authentication token.
The best way to see how your security modes are going to affect non-WCF clients is to publish the bindings for your service and run the Java wsimport tool against them; if that can produce a working proxy from your WSDL then you should be able to use the service from any client.
Is it possible to configure a WCF service that:
is hosted by IIS
uses the basicHttpBinding binding
does not need an SSL cert
supports sessions (ServiceContract(SessionMode:=ServiceModel.SessionMode.Required))
I know the easiest thing to do would be to buy an SSL cert, but for reasons beyond my control I am being required to match the 4 constraints above.
thanks,
Tom
Tell your boss that basicHttpBinding supports real security only when using with SSL certificate (otherwise all data are passed as a plain text) and it doesn't support WCF sessions out of the box. WCF session is dependent on either:
Transport session (only netTcp or netNamedPipe bindings)
Reliable session (only netTcp, wsHttp or custom bindings)
Security session (only wsHttp or custom bindings and it requires either windows authentication or SSL certificate)
Sessions can be probably added by building your own service behavior and replacing IInstaceContextProvider and perhaps also IInstanceProvider.