Are JSON enabled WCF service secured as they carry Human readable strings
Any article on JSON enabled WCF secrity will help.(link)
JSON-enabled WCF services are REST-based - those basically transmit everythign in clear text, so in order to get any protection against snooping, you'd have to secure the transport layer using e.g. SSL encryption.
Marc
WCF is just a framework to make communcation simpler, it doesn't in and by itself make anything secure.
JSON is just a nice way to transmit data, esp when sending to a webpage, as it can be more compact than xml, and javascript can parse JSON faster than xml since JSON is made for javascript.
If you have any sensitive information you can either encrypt that specific data or you can just use SSL connections, but that can impact performance.
Related
I have a WCF service hosted in IIS. The service is mandated to be basicHttpBinding. There is IBM DataPower in front of the WCF service that exposes it to outside world.
I am writing a WCF client app (inheriting from ClientBase) that has to encrypt the message body using a pre-shared public key and DataPower will decrypt it and forward the message to the hosting server. As for responses, DataPower will encrypt it and the client should be able to decrypt the responses received. One way to achieve this (that I could think of) is using IClientMessageInspector and use the BeforeSendRequest() to encrypt AfterReceiveReply() to decrypt. Before going this route, I wanted to know what other options are available to achieve this?
Usually the pattern is to use SSL which is easy to work with in DataPower and WCF clients. I'm not sure how easy it is to configure message level encryption in DataPower. If you insist on message level encryption first check if DP dsupports the standard WS-Security approach, in which case configuring the WCF client is easy (basic http binding with security mode of message and client credential type of certificate or username, but of course depend if you want to configure client auth).
Yes datapower supports WS-Security standard and you can play around any part or whole of messages for encryption/decryption. The only thing you need to weight here is whether to use PKI or symmetric encryption/decryption technique while playing with message level security.
What is the relationship between WCF and REST&SOAP? Is WCF based on one of those technologies (REST or SOAP) or it is a separate technology?
WCF is a messaging framework for building distributed systems. Distributed systems is mostly just another word for web services.
What this means is that you can write methods in C# (or any of the .NET languages) and then apply a bunch of configurations to the code that make your code accessible to others and turn your code into a web service.
Those "bunch of configurations" are WCF. WCF allows you to expose your methods to other computers or applications using REST if you set up the WCF configurations around your C# code to expose it as a RESTful service. Or, you can easily take the same C# methods and make them available via the SOAP protocol.
If you have a method called "GetData()", you can set up the WCF configuration to make that method available in a service that is hosted in IIS. When someone calls that service, they can send an HTTP GET request to http://www.yourdomain.com/SomeService/GetData, and the GetData method will receive the message and send back a response. When you make a GET request over HTTP, you're using the REST. REST is pretty much tied to HTTP as the transport protocol. REST also has no standard message format. Whatever you want to send in your HTTP message, and however you want to send it is OK. You can send XML, or JSON, or just plain text. You can use POST, or GET or PUT or any of the HTTP verbs as well.
With SOAP, your messages can be sent to the service using any transport protocol -- you aren't tied to HTTP. SOAP messages are designed to be transport neutral. They are encoded in XML and the XML always has a head and a body node inside of an envelope node. There are lots of web standards around SOAP -- standards for putting security, sessions and other features into the header of the message, for example. Also, with SOAP, you get a WSDL, which I won't go into explaining here, but it makes it a LOT easier for clients to program against. Most programming languages have a method of taking a WSDL and converting it into strongly-typed methods and objects so that your service is easy to call.
REST is very popular on the internet and is as scalable as the internet (i.e. VERY scalable). SOAP is very popular in business-to-business applications.
WCF isn't automatically REST or SOAP, but you can make it that way. What you need here is a tutorial:
WCF
http://www.codeproject.com/Articles/406096/A-beginners-tutorial-for-understanding-Windows
REST
http://rest.elkstein.org/
Here's some other interesting stuff:
WCF - REST / SOAP
https://msdn.microsoft.com/en-us/library/hh323708(v=vs.100).aspx
WCF and REST
https://msdn.microsoft.com/en-us/library/ee391967.aspx
Or you can do a google/bing/metacrawler/altavista search on your own.....
From MSDN
The WCF programming model provides various capabilities, such as SOAP
services, web HTTP services, data services, rich internet application
(RIA) services, and workflow services. SOAP services support
interoperability between systems that are built with Java, other
platforms, and those that use messaging standards that are supported
by Microsoft®. SOAP services also support transports such as HTTP,
TCP, named pipes, and MSMQ. Web HTTP services and data services both
support REST. Web HTTP services enable you to control the service
location, request and response, formats, and protocols. Data services
enable you to expose data models, and data-driven logic as services.
WCF also includes two programming models: The service model and the
channel model. The service model provides a framework for defining
data contracts, service contracts and service behaviors. The channel
model supports specifying formats, transports, and protocols.
Both SOAP and REST services can provide functionality to web
applications, and both can be used to exchange information in the
web's distributed environment. Each one has its own advantages, and
limitations.
Although, this question has got several good answers, just putting in my 2-cents, in an attempt for newbies to WCF vs SOAP vs REST-full services, to make it a bit easier for them to understand.
We get confusions, whether WCF supports both REST and SOAP ? And, normally, we just see generic definitions about SOAP and REST. So , we need something from Microsoft to make us feel the truth : ) So here's a screenshot from Microsoft MSDN :
So, yes, WCF supports both .
In context with OP:
SOAP services: in WCF programming model support interoperability between systems that are built with Java, other
platforms, and those that use messaging standards that are supported
by Microsoft®. These also support transports such as HTTP,
TCP, named pipes, and MSMQ.
Web HTTP services : in WCF programming model supports REST. [Source: MSDN]
I've been playing around with WCF and I have managed to a WCF service to generate both SOAP, POX, and JSON formats pretty easily based on this example (I added the soap config).
http://www.c-sharpcorner.com/UploadFile/ashutosh.shukla1/3040/Default.aspx
And I see that if you add a timestamp field to your data base tables you can actually have a plain old WCF service work with Linq to SQL via this-
http://jonkruger.com/blog/2008/02/10/linq-to-sql-in-disconnectedn-tier-scenarios-saving-an-object/
I'm still a little confused about WCF vs WCF Data Services vs WCF Ria Services. I guess my goal and my question is.
Is it possible to write one service with multiple endpoints that does it all...POX, JSON, Java client compatible SOAP 1.1 with https and user name/password protection, and OData secured with https possibly as well? If so that sounds amazing, as I can create a self hosted uber data provider service that offers numerous ways clients can connect and use data.
Are we there yet? If so what do I use (still confused on the differences)?
I am implementing wcf web service hosting in IIS with basicHttpBinding those should be accesseble by .net 2.0 client like accessing ASMX services.
Any body can help with details & with few example/sample code.
thanks
nRk
WCF is more secure than ASMX and insists the basic fact that it never allows you to send plain-text credentials without encrypting those.
You need to ask yourself a few qusetions here:
how do I protect my messages going from the client to the server, so that the username/password is not sent as plain text?
how do I check the validity of the username/password once the message arrives at the server?
For the first point, you can do a number of things:
secure the transport layer, e.g. use HTTPS (with SSL) to protect the entire pipe going from the client to the server. In that case, you don't have to do much else - the whole communication channel is protected
secure the message (at least the username/password part) using encryption. In that case, you need to have at least a service certificate on the server, so that the calling client has a shared secret to encrypt the message - or you need to install a certificate on the client (usually not a good idea if you want everyone to call your service)
For the authentication part, you need to decide on:
using the ASP.NET membership subsystem which already has a user table against which you can validate the credentials provided
or roll your own from scratch - not recommended unless you really really have to and have a very specific need
WCF security is not an easy topic - you can find helpful information and scenarios on how to do certain things here:
WCF Security by the MIcrosoft Patterns & Practice group
Declarative WCF Security by Juval Lowy
With just the few pieces of information you provided, one cannot really give a "do this and that" kind of answer. You need to read up on WCF security and decide on what scenario you want to implement. I'm sure folks here can help you with more specific questions about how to achieve certain things in WCF security, if your questions are more focused on a particular problem / issue.
i have been reading a little about REST services and i would love to know more.
I wonder if anyone can confirm, currently we have a wcf web service (ending in .svc) and we have many clients accessing (i.e. form linux, max and PC) ...
if i was to change my server to use REST then would the clients break?
If you CHANGE the service to be a RESTful format, then yes...existing clients would have to change.
If you ADD a RESTful endpoint and kept the existing endpoint as well, then no...existing clients could continue to use the old endpoint until they migrated their code to use the new RESTful endpoint.
Well, the two world are really SOAP vs. REST.
The "normal" WCF services using NetTcpBinding, basicHttpBinding, wsHttpBinding etc. are all using SOAP - your message is embededded in a SOAP envelope and sent across the wire, and the response comes back the same way. That's why you can't just point your browser to a WCF service and get data - browsers can't send and receive SOAP messages.
Advantages of SOAP: you have things like WSDL/XSD to clearly and very strictly define what your service does and what kind of data you send around.
REST is a totally different beast - no more SOAP, no more WSDL and XSD, no more creating a client that knows about the data types being shuffled back and forth - you just have URL's which represent resources, and you get back some XML - not a whole lot of system support for describing WHAT that XML will be - you'll have to hope the developer of the REST service provides some documentation about what can be retrieved, and what it looks like.
So REST is a totally different beast than SOAP, and it's implemented in WCF using the webHttpBinding.
So if you have existing "traditional" WCF service and clients, and you now switch your service to REST, then yes - 100% sure you'll break EVERY client....
Marc