4. What is WCF?
Stands for Windows Communication Foundation
One of the 4 pillars of .NET 3.0
Microsoft’s unified programming model (the service model)
for building Service-Oriented Applications
5. Windows Communication Foundation
WCF provides:
- an SDK for creating SOA
- a runtime for running Services on Windows
Services send and receive messages
All messages are SOAP messages
WCF takes care of all the plumbing
Slide 4
6. Why use WCF?
Interoperable and Standards based
- Supports WS-* protocols
Unified Programming Model
- Unifies previous models like .NET Remoting, ASMX web services, COM+
etc
Productive Programming Model
- Declarative
- Imperative
- Configuration based
Slide 5
7. WCF: How does it work?
SOAP (Simple Object Access Protocol) - is a protocol specification for
exchanging structured information in the implementation of Web Services
XML
9. WCF Endpoints
Every service has
Address
- Where the service is
Binding
- How to talk to the service
Contract
- What the service can do
Slide 8
11. Address
Combination of transport, server name, port & path
Transport is determined by the binding
Examples
http://localhost:8001
https://localhost:8001
net.tcp://localhost:8002/MyService
net.msmq://localhost/MyService
Slide 10
12. Bindings
Transport
- HTTP/S
- TCP
- MSMQ
Message formats and encoding
- Plain text
- Binary
- Message Transmission Optimization Mechanism (MTOM)
Communication security
- No security
- Transport security
- Message security
- Authenticating and authorizing callers
Slide 11
14. Contracts
Service contracts
- Defines operations, communications and behaviors.
Data contracts
- Defines data entities and parameter types.
Fault contracts
- Defines error types
Message contracts
- Defines message formats
Slide 13
15. Service Contracts
[ServiceContract] – Defines a ‘set’ of operations
[OperationContract] – Defines a single method
Slide 14
[ServiceContract]
public interface IService
{
[OperationContract]
string GetData(int value);
}
public class ConcreteService : IService
{
public string GetData(int value)
{ ... }
public string OtherMethod()
{ ... }
}
16. Data Contracts
[DataContract] – Specifies type as a data contract
[DataMember] – Members that are part of contract
Slide 15
[DataContract]
public class CustomType
{
[DataMember]
public bool MyFlag { get; set; }
[DataMember]
public string MyString { get; set; }
}
17. Hosting
IIS
- HTTP only
- Process recycling, failover protection, common config
WAS (Windows Activation Service)
- Can use any transport
- Vista and Windows Server 2008 only
Self hosting
- Can use any transport
- Can be hosted within Console, WinForms, etc Applications
Windows Service
- Can use any transport
Slide 16
19. WCF Security
WCF Security Provides:
Authentication – Identifying the message sender
Integrity – Signed msgs to ensure not altered
Confidentiality – Encryption
Authorization – Determines functionality entitled to execute
Your binding selection will influence the available configuration
options for the service security policy.
18
20. WCF Security
Programming WCF security is based on three steps setting the
following:
- the security mode
- a client credential type
- the credential values.
19
21. WCF Binding Comparison
20
Binding Security
Default
Transport
Protocol
Encoding
Default
Host
basicHttpBinding None,
Transport, Message,
Mixed
HTTP Text/XML, MTOM IIS, WAS
wsHttpBinding Message, Transport,
Mixed
HTTP Text/XML, MTOM IIS, WAS
netTcpBinding Transport, Message,
Mixed
TCP Binary WAS
netNamedPipeBin
ding
Transport, None Named Pipe Binary WAS
netMsmqBinding Message, Transport,
None
TCP Binary WAS
netPeerTcpBinding Transport P2P Binary -
23. Setting the Binding
1. Select one of the predefined bindings appropriate to your application
requirements.
By default, nearly every binding has security enabled.
The binding you select determines the transport. For
example, WSHttpBinding uses HTTP as the
transport; NetTcpBinding uses TCP.
<system.serviceModel>
<services>
<service name=“LunchLearn.TestService" >
<endpoint contract="LunchLearn.ITestService“ binding="wsHttpBinding"/>
</service>
</services>
</system.serviceModel>
22
24. Setting the Security Mode
2. Select one of the security modes for the binding. Note that the binding
you select determines the available mode choices
You have three choices:
Transport
Message
TransportWithMessageCredential
<wsHttpBinding>
<binding name="wsHttp">
<security mode="Message">
<message clientCredentialType="UserName" />
</security>
</binding>
</wsHttpBinding>
23
25. Transport
Transport security depends on the mechanism that the binding you've
selected uses. For example, if you are using WSHttpBinding then the
security mechanism is Secure Sockets Layer (SSL)
Pro: Generally speaking, good throughput no matter which transport
you are using.
Con: Security is implemented in a hop-by-hop manner rather than end-
to-end.
If you decide to use transport security for HTTP (in other words,
HTTPS), you must also configure the host with an SSL certificate and
enable SSL on a port.
24
26. Message
Each message is encrypted
Pros:
End to End Security
Because the composition of the headers varies, you can include any
number of credentials for interoperability
Con:
Little bit of overhead, encrypting each message.
25
27. Setting the Client Credential Type
The choice of client credential type depends on the security
mode in place. For transport security you can require a
Windows credential or certificate
Message security supports any of the following settings
for clientCredentialType:
None
Windows
UserName
Certificate
IssuedToken
26
28. Setting the Client Credential Type
This code snippet illustrates how to select
a clientCredentialType for message security.
<wsHttpBinding>
<binding name="wsHttp">
<security mode="Message">
<message clientCredentialType=“Windows"
algorithmSuite="TripleDes" />
</security>
</binding>
</wsHttpBinding>
27
29. Role-Based Authorization
The identity of the caller is attached to the executing request thread in the form of a
security principal, accessible through the CurrentPrincipal property.
System.Threading.Thread.CurrentPrincipal
Implements System.Security.Principal.Iprincipal
This interface has two members:
A read-only Identity property that returns a reference to the IIdentity for the request.
When IsInRole() is invoked, it uses the configured RoleProvider to check if this
identity is in the specified role.
28
30. Role-Based Authorization
Using the PrincipalPermission Object
Is the user authenticated?
Is the user in a particular role?
Is a particular user calling?
[PrincipalPermission (SecurityAction.Demand, Role = "Administrators")]
public string AdminsOnly() {
// protected code
}
public string AdminsOnly() {
// unprotected code
PrincipalPermission p = new PrincipalPermission(null, "Administrators");
p.Demand();
// protected code
}
29
31. Claims-Based Identity Model
The identity model in WCF supports a rich, claims-based approach to
authorization. Can add a welcome layer of granularity.
Claims can be proof of possession of information such as an e-mail
address, birth date, or first and last name.
Custom claims can be created to indicate the ability to access specific
business entities or their storage location.
30
32. Claims-Based Identity Model
ServiceSecurityContext security = OperationContext.Current.ServiceSecurityContext;
string user = security.PrimaryIdentity.Name;
string email = null;
IEnumerable<Claim> claims = security.AuthorizationContext.ClaimSets[0].FindClaims(
ClaimTypes.Email,Rights.PossessProperty);
foreach (Claim c in claims) {
email = c.Resource as string;
}
if (string.IsNullOrEmpty(user) || email == null) throw new SecurityException(
"Unauthorized access. Email claim not found.");
31
34. Impersonation
When Windows credentials are used, the service can be configured to
impersonate callers so that the request thread operates under the
impersonated Windows token.
[OperationBehavior(Impersonation = ImpersonationOption.Allowed)]
public string DoSomething() { ... }
ImpersonationOption.NotAllowed. The caller will not be impersonated.
ImpersonationOption.Allowed. The caller will be impersonated if a Windows
credential is provided.
ImpersonationOption.Required. The caller will be impersonated and a Windows
credential must be provided to support this.
33
35. Impersonation
You can also set this for all operations by declaratively
<behaviors>
<serviceBehaviors>
<behavior name="serviceBehavior">
<serviceAuthorization
impersonateCallerForAllOperations=“true"/>
</behavior>
</serviceBehaviors>
</behaviors>
34
36. Summary
Which binding to use:
WSHttpBinding – Default security for message encryption
BasicHttpBinding
NetMsmqBinding