Conceptual overview of WCF security model? - wcf

I'm working with WCF at the moment and attempting to implement a custom security model based around an API key and signature (similar to how Facebook/Flickr/OAuth etc. work).
There are a while bunch of classes like ServiceAuthorizationManager, SecurityToken, SecurityTokenValidator, IAuthorizationPolicy and so on, but I can't seem to find any documentation about how these work together or what the conceptual security model is for WCF.
I'm really looking for something that details how these classes fit and work together, so I can understand where to extract credentials, where to validate they are correct, where to decide what level of access to give them and so on. If there is a book I can buy about this stuff it would be even better, as all the WCF books I have found skip over all this stuff entirely.
Is there any documentation out there?

Take a look at Juval Lowy's excellent "Programming WCF Services," 2nd Edition:
Here's the link to Amazon's page on it.
Chapter 10 is completely devoted to security.
Microsoft has released a WCF Security Guide - a free(!) eBook. You can find it here.
That's an awful lot of information to wade through. Good luck!

Related

Windows Communication Foundation (WCF) for beginners

I need to learn WCF for my project as I am building a client-server application under Windows. What's the best place to start. I've googled for tutorials and books but I couldn't find something suitable for starters. I would prefer a book.
As for resoures: there's the MSDN WCF Developer Center which has everything from beginner's tutorials to articles and sample code.
Also, check out the screen cast library up on MSDN for some really useful, 10-15 minute chunks of information on just about any topic related to WCF you might be interested in.
Look at PluralSight videos may be its easy way for you to start. Some of the videos are on MSDN for free.
Find book for yourself. For example this one could be easy to understand for beginner.
Look at WCF samples. Some samples can help you in learning.
If you prefer a good book, check out Programming WCF Services, 3rd Edition by Juval Lowy.
Other WCF book recommendations are listed in this question.

WCF configuration setting information at a glance

Is there any site from where I can get the most of the information about WCF configuration settings e.g. keyEntropyMode,maxStatefulNegotiations,sessionKeyRolloverInterval, negotiationTimeout etc.
I have started recently working in wcf but is facing many troubles in understanding the terms. There are to be honest huge. And whenever I get stuck, it takes a long time for me to solve it (searching and searching in google and after spending sometime hours I may get the solution).
Henceforth, I think it is better to know if not all astleast some of the terms and their usage and what they means.
It would be great help if anyone can point such a link. I searched in the net with " wcf configuration file elements" but with not much luck.
Thanks
That would be a very very large page! All the WCF settings..... don't know if you could have that "at a glance"....
WCF is a big beast - it has a ton of options and settings, and they do get almost overwhelming. Point is: do not try to know and master all of them - you won't be able to do that. Get to know what you need to know, build a solid foundation, and then go from there and learn more as you need to.
Also - do you know about the visual WCF Service Config Tool in Visual Studio?? Extremely helpful indeed! Invoke it from the Tools > WCF Service Configuration Editor menu or right-click on a app.config in your solution explorer and pick Edit WCF Configuration. You'll get something like this:
The great thing about this is:
it gives you dropdown lists for lots of stuff, like the bindings - you can pick your binding, so you always see your valid options
it will show you the properties on each item, so you can fill them out as needed (or even discover new properties)
it gives you nice tasks you can perform, like adding a new service or a new endpoint
That's probably as close as it gets to a "complete overview" of WCF. Other than that - check out the great books Learning WCF by Michele Leroux Bustamante for intro to intermediate level, and Programming WCF Services by Juval Lowy for really advanced stuff. Great references and great places to look up stuff!
Learning WCF http://ecx.images-amazon.com/images/I/41wYa%2BNiPML._BO2,204,203,200_PIsitb-sticker-arrow-click,TopRight,35,-76_AA240_SH20_OU01_.jpg
Exactly what problem are you trying to solve? You don't really need to learn all WCF config settings. There are a lot of settings, some are specific to hosting methods, concurrency (or lack thereof), session management, instancing, bindings, behaviors, etc...

Real world example wcf with rest and soap end points

I've been looking around for good wcf samples which expose both WCF and REST endpoints with end to end examples and I am having a bit of trouble finding anything concrete. There are a lot of samples which say you can do this or you could do that, but nothing that really seems to bring it all together.
For instance, I'm looking for something that brings together suggestions on uri's you should use to avoid problems (both for the services and data contracts), where to place your xsd's, whether its worth trying to use the same server end point for both rest and soap, versioning and generally best practices when using WCF with rest and soap in an enterprise situation.
Cheers
Anthony
Here is a popular stack overflow question on the subject. It is based on .Net 3.5 though. I have not seen many samples relating to .Net 4 yet.
However, IMHO I would avoid this trap like the plague. Doing a good API is difficult, SOAP APIs and REST apis are very different and despite what the marketing material claims, you can't just twiddle some config files, add some attribute dust and convert between the two.
Pick the one architectural style that suits your needs and do it well.
NerdDinner.com : NerdDinner uses WCF Data Services, which is a great way to correctly implement RESTful services on top of WCF. The reason I am point to that, and not WCF data services directly is because it is a public website and you can use it.

Best practice for large WCF service?

What is the best practice for writing a rather large wcf service, containing a lot of OperationContracts and DataContracts?
How would I separate functional areas into several contracts, would it be best to create an endpoint for each functional area?
Is there any way to keep the source for the different parts apart, but still use only one service for all of them?
Where do I get good information how to plan the contracts, what to include, how to split...?
That's been a big question surrounding services since their inception. SOA done successfully is SOA planned to the extent you're talking about. Having said that, I've always leaned more toward splitting services out, but using them in a composite manner. That is, several endpoints when you have several contracts, but most of them are only consumed by a few endpoints that are consumed by non-service callers. (wow, that was a mouthful, did it even make sense?)
Also, I would advise to have as few contracts as possible. Too many contracts can lead to poor manageability. Good contract design will help limit the number of endpoints and service calls. Removing OO concepts from contract design is one way of doing so. Contract design is a massive topic in itself, but suffice it to say that through good contract planning (up front), comes good service design.
Maarten Mullender writes a great blog on WCF design, and is a must read. There are also some great SOA/WCF books emerging as well.
Some good books:
Pro WCF: Practical Microsoft SOA Implementation
Programming WCF
I'll go off the track here and say I've used monolithic WCF contracts, functionally separated contracts (with a maximum of ten methods along Juval's guidelines in his book), and I've also tried a message handling architecture where a service has a single method that takes a base message, and handlers that 'know' how to unwrap and process the message after it crosses the wire.
I'm a big fan of the latter if you've got .NET on both sides of the fence. Oren has a screencast on the idea with code. I don't know what your needs are but this is working for me.
http://ayende.com/Blog/archive/2008/03/30/Hibernating-Rhinos-8--Going-Distributed-amp-Building-our-own.aspx
That said if you're already coming from "I need a large WCF service" then going to one method is probably not going to cut it for you. If that's true then Juval Lowy's Programming WCF Services is the standard you should uphold in your design.
This has been helpful to me it comes from the idesign.net website and it was authored by Juval Lowy:
WCF Coding Standard
I have a post here about how individual operations should differ from traditional code operations:
http://www.iserviceoriented.com/blog/post/Introduction+to+Service+Oriented+Architecture.aspx
You should end up only with operations for actual business events. If you ever stop and think "I need to enable transaction support on my web service" that means you haven't designed the operation with a wide enough scope. You should never have to enable web service transaction support.
I highly recommend Bill Poole's blog for higher level SOA concepts. Here's a post to get started:
http://feeds.feedburner.com/~r/BillPoolesCreativeAbrasion/~3/328955489/service-contract-stability.html
I know this is an old post but I am thinking of services in the same way as I think of objects in programming.
Keep them to their bare minimum for what they must do. Of course not to go to the extreme, but I am making my decisions based on data entities.
One service for Account, one for Product etc.
Not sure what anyone would think of that though...

Does WCF raise the bar or just the complexity level? [closed]

Closed. This question is opinion-based. It is not currently accepting answers.
Want to improve this question? Update the question so it can be answered with facts and citations by editing this post.
Closed 3 years ago.
Improve this question
I understand the value of the three-part service/host/client model offered by WCF. But is it just me or does it seem like WCF took something pretty direct and straightforward (the ASMX model) and made a mess out of it?
Is there an alternative to using SvcUtil's command line step back in time to generate the proxy? With ASMX services a test harness was automatically provided; is there a good alternative today with WCF?
I appreciate that the WS* stuff is more tightly integrated with WCF and hope to find some payoff for WCF there, but geeze, otherwise I'm perplexed.
Also, the state of books available for WCF is abysmal at best. Juval Lowy, a superb author, has written a good O'Reilly reference book "Programming WCF Services" but it doesn't do that much (for me anyway) for learning now to use WCF. That book's precursor (and a little better organized, but not much, as a tutorial) is Michele Leroux Bustamante's Learning WCF. It has good spots but is outdated in place and its corresponding Web site is gone.
Do you have good WCF learning references besides just continuing to Google the bejebus out of things?
Okay, here we go. First, Michele Leroux Bustamante's book has been updated for VS2008. The website for the book is not gone. It's up right now, and it has tons of great WCF info. On that website she provides updated code compatible with VS2008 for all the examples in her book. If you order from Amazon, you will get the reprint which is updated.
WCF is not only a replacement for ASMX. Sure it can (and does quite well) replace ASMX, but the real benefit is that it allows your services to be self-hosted. Most of the functionality from WSE has been baked in from the start. The framework is highly configurable, and the ability to serve multiple endpoints over multiple protocols is amazing, IMO.
While you can still generate proxy classes from the "Add Service Reference" option, it's not necessary. All you really have to do is copy your ServiceContract interface and tell your code where to find the endpoint for the service, and that's it. You can call methods from the service with very little code. Using this method, you have complete control over the implementation. Regardless of the method you choose to generate a proxy class, Michele shows both and uses both in her excellent series of webcasts on the subject.
Michele has tons of great material out there, and I recommend you check out her website(s). Here's some links that were incredibly helpful for me as I was learning WCF. I hope that you'll come to realize how strong WCF really is, and how easy it is to implement. The learning curve is a little bit steep, but the rewards for your time investment are well worth it:
Michele's webcasts: http://www.dasblonde.net/2007/06/24/WCFWebcastSeries.aspx
Michele's book website (alive and updated for VS2008): http://www.thatindigogirl.com/
I recommend you watch at least 1 of Michele's webcasts. She is a very effective presenter, and she's obviously incredibly knowledgeable when it comes to WCF. She does a great job of demystifying the inner workings of WCF from the ground up.
I typically use Google to find my WCF answers and commonly find myself on the following blogs:
Blogs with valuable WCF articles
http://blogs.msdn.com/drnick/default.aspx
http://blogs.msdn.com/wenlong/default.aspx
http://blogs.thinktecture.com/buddhike/
http://www.dasblonde.net/default.aspx
Other valuable articles I've found
http://blogs.conchango.com/pauloreichert/archive/2007/02/22/WCF-Reliable-Sessions-Puzzle.aspx
http://blogs.msdn.com/salvapatuel/archive/2007/04/25/why-using-is-bad-for-your-wcf-service-host.aspx
I'm having a hardtime to see when I should or would use WCF. Why? Because I put productivity and simplicity on top of my list. Why was the ASMX model so succesful, because it worked, and you get it to work fast. And with VS 2005 and .NET 2.0 wsdl.exe was spitting out pretty nice and compliant services.
In real life you should have very few communication protocols in your architecture. This keeps it simple an maintainable. If you need to acces to legacy systems, write specific adapters for them so they can play along in the nice shiny and beautiful SOA world.
WCF is much more powerful than ASMX and it extends it in several ways. ASMX is limited to only HTTP, whereas WCF can use several protocols for its communication (granted, HTTP is still the way most people will use it, at least for services that need to be interoperable). WCF is also easier to extend. At least, it is possible to extend it in ways that ASMX cannot be extended. "Easy" may be stretching it. =)
The added functionality offered by WCF far outweighs the complexity it adds, in my opinion. I also feel that the programming model is easier. DataContracts are much nicer than having to serialize using XML serialization with public properties for everything, for example. It's also much more declarative in nature, which is also nice.
Wait.... did you ever use .NET Remoting, cause thats the real thing its replacing. .NET Remoting is pretty complicated itself. I find WCF easier and better laid out.
I don't see it mentioned often enough, but you can still implement fairly simple services with WCF, very similar to ASMX services. For example:
[ServiceContract]
[AspNetCompatibilityRequirements(RequirementsMode = AspNetCompatibilityRequirementsMode.Allowed)]
public class SimpleService
{
[OperationContract]
public string HelloWorld()
{
return "Hello World";
}
}
You still have to register the end point in your web.config, but that's not so bad.
Eliminating the verbosity of the separated data, service, and operation contracts goes a long way toward making WCF more manageable for me.
VS2008 includes the "Add Service Reference" context menu item which will create the proxy for you behind the scenes.
As was mentioned previously, WCF is not intended solely as a replacement for the ASMX web service types, but to provide a consistent, secure and scalable methodology for all interoperable services, whether it is over HTTP, tcp, named pipes or MSMQ transports.
I will confess that I do have other issues with WCF (e.g. re-writing method signatures when exposing a service over basicHTTP - see here, but overall I think it is a definite imrovement
If you're using VS2008 and create a WCF project then you automatically get a test harness when you hit run/debug and you can add a reference without having to use svcutil.
My initial thoughts of WCF were exactly the same! Here are some solutions:
Program your own proxy/client layer utilising generics (see classes ClientBase, Binding). I've found this easy to get working, but hard to perfect.
Use a third party implementation of 1 (SoftwareIsHardwork is my current favourite)
WCF is a replacement for all earlier web service technologies from Microsoft. It also does a lot more than what is traditionally considered as "web services".
WCF "web services" are part of a much broader spectrum of remote communication enabled through WCF. You will get a much higher degree of flexibility and portability doing things in WCF than through traditional ASMX because WCF is designed, from the ground up, to summarize all of the different distributed programming infrastructures offered by Microsoft. An endpoint in WCF can be communicated with just as easily over SOAP/XML as it can over TCP/binary and to change this medium is simply a configuration file mod. In theory, this reduces the amount of new code needed when porting or changing business needs, targets, etc.
ASMX is older than WCF, and anything ASMX can do so can WCF (and more). Basically you can see WCF as trying to logically group together all the different ways of getting two apps to communicate in the world of Microsoft; ASMX was just one of these many ways and so is now grouped under the WCF umbrella of capabilities.
Web Services can be accessed only over HTTP & it works in stateless environment, where WCF is flexible because its services can be hosted in different types of applications. Common scenarios for hosting WCF services are IIS,WAS, Self-hosting, Managed Windows Service.
The major difference is that Web Services Use XmlSerializer. But WCF Uses DataContractSerializer which is better in Performance as compared to XmlSerializer.
In what scenarios must WCF be used
A secure service to process business transactions. A service that
supplies current data to others, such as a traffic report or other
monitoring service. A chat service that allows two people to
communicate or exchange data in real time. A dashboard application
that polls one or more services for data and presents it in a logical
presentation. Exposing a workflow implemented using Windows Workflow
Foundation as a WCF service. A Silverlight application to poll a
service for the latest data feeds.
Features of WCF
Service Orientation
Interoperability
Multiple Message Patterns
Service Metadata
Data Contracts
Security
Multiple Transports and Encodings
Reliable and Queued Messages
Durable Messages
Transactions
AJAX and REST Support
Extensibility
source: main source of text
MSDN? I usually do pretty well with the Library reference itself, and I usually expect to find valuable articles there.
In terms of what it offers, I think the answer is compatibility. The ASMX services were pretty Microsofty. Not to say that they didn't try to be compatible with other consumers; but the model wasn't made to fit much besides ASP.NET web pages and some other custom Microsoft consumers. Whereas WCF, because of its architecture, allows your service to have very open-standard--based endpoints, e.g. REST, JSON, etc. in addition to the usual SOAP. Other people will probably have a much easier time consuming your WCF service than your ASMX one.
(This is all basically inferred from comparative MSDN reading, so someone who knows more should feel free to correct me.)
WCF should not be thought of as a replacement for ASMX. Judging at how it is positioned and how it is being used internally by Microsoft, it is really a fundamental architecture piece that is used for any type of cross-boundary communication.
I believe that WCF really advances ASMX web services implementation in many ways. First of all it provides a very nice layered object model that helps hide the intrinsic complexity of distributed applications.
Secondly you can have more than request-replay messaging patterns, including asynchronous notifications from server to client (impossible with pure HTTP), and thirdly abstracting away the underlying transport protocol from XML messaging and thus elegantly supporting HTTP, HTTPS, TCP and other. Backward compatibility with "1-st generation" web services is also a plus.
WCF uses XML standard as the internal representation format. This could be perceived as advantage or disadvantage, especially with the growing popularity "fat-free alternatives to XML" like JSON.
The difficult things I find with WCF is managing the configurations for clients and servers, and troubleshooting the not so nice faulted state exceptions.
It would be great if anyone had any shortcuts or tips for those.
I find that is a pain; in that I have .NET at both ends, have the same "contract" dlls loaded at both ends etc. But then I have to mess about with a lot of details like "KnownType" attributes.
WCF also defaults to only letting 1 or 2 clients connect to a service until you change lots of configuration. Changing the config from code is not easy, shipping lots of comfig files is not an option, as it is too hard to merge our changes into any changes a customer may have made at the time of an upgrade (also we don't want customers playing with WCF settings!)
.NET remoting tended to just work most of the time.
I think trying to pretend that .NET to .NET object based communications is the same as sending bit so of Text (xml) to an unknown system, was a step too far.
(The few times we have used WCF to talk to a Java system, we found that the XSD that the java system gave out did not match what XML it wanted anyway, so had to hand-code a lot of the XML mappings.)