SlideShare a Scribd company logo
1 of 38
Download to read offline
By Paul Senatillaka
WCF Security
Agenda
 Introduction to WCF
- What is it? Why use it?
- Fundamentals and the ABCs of WCF
 WCF Security Overview
- Bindings
Introduction to WCF
Slide 2
What is WCF?
 Stands for Windows Communication Foundation
 One of the 4 pillars of .NET 3.0
 Microsoft’s unified programming model (the service model)
for building Service-Oriented Applications
Windows Communication Foundation
 WCF provides:
- an SDK for creating SOA
- a runtime for running Services on Windows
 Services send and receive messages
 All messages are SOAP messages
 WCF takes care of all the plumbing
Slide 4
Why use WCF?
 Interoperable and Standards based
- Supports WS-* protocols
 Unified Programming Model
- Unifies previous models like .NET Remoting, ASMX web services, COM+
etc
 Productive Programming Model
- Declarative
- Imperative
- Configuration based
Slide 5
WCF: How does it work?
SOAP (Simple Object Access Protocol) - is a protocol specification for
exchanging structured information in the implementation of Web Services
XML
WCF End points
WCF Endpoints
Every service has
 Address
- Where the service is
 Binding
- How to talk to the service
 Contract
- What the service can do
Slide 8
The EndPoint Anology
Slide 9
Address Binding Contract
Address
 Combination of transport, server name, port & path
 Transport is determined by the binding
 Examples
http://localhost:8001
https://localhost:8001
net.tcp://localhost:8002/MyService
net.msmq://localhost/MyService
Slide 10
Bindings
 Transport
- HTTP/S
- TCP
- MSMQ
 Message formats and encoding
- Plain text
- Binary
- Message Transmission Optimization Mechanism (MTOM)
 Communication security
- No security
- Transport security
- Message security
- Authenticating and authorizing callers
Slide 11
Out of the box Bindings
 BasicHttpBinding
 WSHttpBinding
 WS2007HttpBinding
 WSDualHttpBinding
 WSFederationHttp
Binding
 WS2007FederationHttpBinding
 NetTcpBinding
 NetNamedPipeBinding
 NetMsmqBinding
 NetPeerTcpBinding
 WebHttpBinding
 MsmqIntegrationBinding
Slide 12
Contracts
 Service contracts
- Defines operations, communications and behaviors.
 Data contracts
- Defines data entities and parameter types.
 Fault contracts
- Defines error types
 Message contracts
- Defines message formats
Slide 13
Service Contracts
 [ServiceContract] – Defines a ‘set’ of operations
 [OperationContract] – Defines a single method
Slide 14
[ServiceContract]
public interface IService
{
[OperationContract]
string GetData(int value);
}
public class ConcreteService : IService
{
public string GetData(int value)
{ ... }
public string OtherMethod()
{ ... }
}
Data Contracts
 [DataContract] – Specifies type as a data contract
 [DataMember] – Members that are part of contract
Slide 15
[DataContract]
public class CustomType
{
[DataMember]
public bool MyFlag { get; set; }
[DataMember]
public string MyString { get; set; }
}
Hosting
 IIS
- HTTP only
- Process recycling, failover protection, common config
 WAS (Windows Activation Service)
- Can use any transport
- Vista and Windows Server 2008 only
 Self hosting
- Can use any transport
- Can be hosted within Console, WinForms, etc Applications
 Windows Service
- Can use any transport
Slide 16
WCF Security Overview
Slide 17
WCF Security
WCF Security Provides:
 Authentication – Identifying the message sender
 Integrity – Signed msgs to ensure not altered
 Confidentiality – Encryption
 Authorization – Determines functionality entitled to execute
Your binding selection will influence the available configuration
options for the service security policy.
18
WCF Security
 Programming WCF security is based on three steps setting the
following:
- the security mode
- a client credential type
- the credential values.
19
WCF Binding Comparison
20
Binding Security
Default
Transport
Protocol
Encoding
Default
Host
basicHttpBinding None,
Transport, Message,
Mixed
HTTP Text/XML, MTOM IIS, WAS
wsHttpBinding Message, Transport,
Mixed
HTTP Text/XML, MTOM IIS, WAS
netTcpBinding Transport, Message,
Mixed
TCP Binary WAS
netNamedPipeBin
ding
Transport, None Named Pipe Binary WAS
netMsmqBinding Message, Transport,
None
TCP Binary WAS
netPeerTcpBinding Transport P2P Binary -
WCF Binding Comparison
Binding Interoperability Security
(Default)
Session (Default) Encoding
(Default)
Streaming
(Default)
BasicHttpBinding Basic Profile 1.1 (None),
Transport,
Message, Mixed
(None) Text, (MTOM) Yes
(buffered)
WSHttpBinding WS Transport,
(Message),
Mixed
(None), Reliable
Session, Security
Session
(Text), MTOM No
WSDualHttpBinding WS (Message),
None
(Reliable Session),
Security Session
(Text), MTOM No
WSFederationHttpBinding WS-Federation (Message),
Mixed, None
(None), Reliable
Session, Security
Session
(Text), MTOM No
NetTcpBinding .NET (Transport),
Message, None,
Mixed
(Transport), Reliable
Session, Security
Session
Binary Yes
(buffered)
NetNamedPipeBinding .NET (Transport),
None
None, (Transport) Binary Yes
(buffered)
NetMsmqBinding .NET Message,
(Transport),
None
(None), Transport Binary No
NetPeerTcpBinding Peer (Transport) (None) No
MsmqIntegrationBinding MSMQ (Transport) (None) n/a No
BasicHttpContextBinding Basic Profile 1.1 (None),
Transport,
(None) Text, (MTOM) Yes
(buffered)
21
Setting the Binding
1. Select one of the predefined bindings appropriate to your application
requirements.
By default, nearly every binding has security enabled.
The binding you select determines the transport. For
example, WSHttpBinding uses HTTP as the
transport; NetTcpBinding uses TCP.
<system.serviceModel>
<services>
<service name=“LunchLearn.TestService" >
<endpoint contract="LunchLearn.ITestService“ binding="wsHttpBinding"/>
</service>
</services>
</system.serviceModel>
22
Setting the Security Mode
2. Select one of the security modes for the binding. Note that the binding
you select determines the available mode choices
You have three choices:
 Transport
 Message
 TransportWithMessageCredential
<wsHttpBinding>
<binding name="wsHttp">
<security mode="Message">
<message clientCredentialType="UserName" />
</security>
</binding>
</wsHttpBinding>
23
Transport
 Transport security depends on the mechanism that the binding you've
selected uses. For example, if you are using WSHttpBinding then the
security mechanism is Secure Sockets Layer (SSL)
 Pro: Generally speaking, good throughput no matter which transport
you are using.
 Con: Security is implemented in a hop-by-hop manner rather than end-
to-end.
 If you decide to use transport security for HTTP (in other words,
HTTPS), you must also configure the host with an SSL certificate and
enable SSL on a port.
24
Message
 Each message is encrypted
Pros:
 End to End Security
 Because the composition of the headers varies, you can include any
number of credentials for interoperability
Con:
 Little bit of overhead, encrypting each message.
25
Setting the Client Credential Type
 The choice of client credential type depends on the security
mode in place. For transport security you can require a
Windows credential or certificate
 Message security supports any of the following settings
for clientCredentialType:
 None
 Windows
 UserName
 Certificate
 IssuedToken
26
Setting the Client Credential Type
This code snippet illustrates how to select
a clientCredentialType for message security.
<wsHttpBinding>
<binding name="wsHttp">
<security mode="Message">
<message clientCredentialType=“Windows"
algorithmSuite="TripleDes" />
</security>
</binding>
</wsHttpBinding>
27
Role-Based Authorization
 The identity of the caller is attached to the executing request thread in the form of a
security principal, accessible through the CurrentPrincipal property.
System.Threading.Thread.CurrentPrincipal
Implements System.Security.Principal.Iprincipal
This interface has two members:
 A read-only Identity property that returns a reference to the IIdentity for the request.
 When IsInRole() is invoked, it uses the configured RoleProvider to check if this
identity is in the specified role.
28
Role-Based Authorization
Using the PrincipalPermission Object
 Is the user authenticated?
 Is the user in a particular role?
 Is a particular user calling?
[PrincipalPermission (SecurityAction.Demand, Role = "Administrators")]
public string AdminsOnly() {
// protected code
}
public string AdminsOnly() {
// unprotected code
PrincipalPermission p = new PrincipalPermission(null, "Administrators");
p.Demand();
// protected code
}
29
Claims-Based Identity Model
 The identity model in WCF supports a rich, claims-based approach to
authorization. Can add a welcome layer of granularity.
 Claims can be proof of possession of information such as an e-mail
address, birth date, or first and last name.
 Custom claims can be created to indicate the ability to access specific
business entities or their storage location.
30
Claims-Based Identity Model
ServiceSecurityContext security = OperationContext.Current.ServiceSecurityContext;
string user = security.PrimaryIdentity.Name;
string email = null;
IEnumerable<Claim> claims = security.AuthorizationContext.ClaimSets[0].FindClaims(
ClaimTypes.Email,Rights.PossessProperty);
foreach (Claim c in claims) {
email = c.Resource as string;
}
if (string.IsNullOrEmpty(user) || email == null) throw new SecurityException(
"Unauthorized access. Email claim not found.");
31
Sample Config
http://www.devx.com/codemag/Article/33342/1763?supportItem=6
32
Impersonation
 When Windows credentials are used, the service can be configured to
impersonate callers so that the request thread operates under the
impersonated Windows token.
[OperationBehavior(Impersonation = ImpersonationOption.Allowed)]
public string DoSomething() { ... }
 ImpersonationOption.NotAllowed. The caller will not be impersonated.
 ImpersonationOption.Allowed. The caller will be impersonated if a Windows
credential is provided.
 ImpersonationOption.Required. The caller will be impersonated and a Windows
credential must be provided to support this.
33
Impersonation
You can also set this for all operations by declaratively
<behaviors>
<serviceBehaviors>
<behavior name="serviceBehavior">
<serviceAuthorization
impersonateCallerForAllOperations=“true"/>
</behavior>
</serviceBehaviors>
</behaviors>
34
Summary
Which binding to use:
 WSHttpBinding – Default security for message encryption
 BasicHttpBinding
 NetMsmqBinding
Questions?
Slide 36
Slides re-used from
http://blogesh.wordpress.com/2009/02/11/wcf-
presentation-slides/
RSM McGladrey, Inc.
80 City Square
Boston, MA 02129
www.mcgladrey.com

More Related Content

Viewers also liked

MTC Global Biography of Indian Management Educators, Volume-I, Feb 2016
MTC Global Biography of Indian Management Educators, Volume-I, Feb 2016MTC Global Biography of Indian Management Educators, Volume-I, Feb 2016
MTC Global Biography of Indian Management Educators, Volume-I, Feb 2016Prof. Bholanath Dutta
 
Jennifer Kelly Visual Resume
Jennifer Kelly Visual ResumeJennifer Kelly Visual Resume
Jennifer Kelly Visual Resumejenkelly3
 
Certified Management Teacher by MTC Global
Certified Management Teacher by MTC GlobalCertified Management Teacher by MTC Global
Certified Management Teacher by MTC GlobalProf. Bholanath Dutta
 
Brochure MTC Global award nomination-2014. Closes on 31.03.2014
Brochure  MTC Global award nomination-2014. Closes on 31.03.2014Brochure  MTC Global award nomination-2014. Closes on 31.03.2014
Brochure MTC Global award nomination-2014. Closes on 31.03.2014Prof. Bholanath Dutta
 
ShopperQuickCorporatePresentation
ShopperQuickCorporatePresentationShopperQuickCorporatePresentation
ShopperQuickCorporatePresentationTabish Ahmed
 

Viewers also liked (12)

MTC Global Biography of Indian Management Educators, Volume-I, Feb 2016
MTC Global Biography of Indian Management Educators, Volume-I, Feb 2016MTC Global Biography of Indian Management Educators, Volume-I, Feb 2016
MTC Global Biography of Indian Management Educators, Volume-I, Feb 2016
 
Jennifer Kelly Visual Resume
Jennifer Kelly Visual ResumeJennifer Kelly Visual Resume
Jennifer Kelly Visual Resume
 
Mtc global -brief presentation
Mtc global -brief presentationMtc global -brief presentation
Mtc global -brief presentation
 
Powerpt
PowerptPowerpt
Powerpt
 
Game pikachu
Game pikachuGame pikachu
Game pikachu
 
GMT Brochure 2013
GMT Brochure 2013GMT Brochure 2013
GMT Brochure 2013
 
Certified Management Teacher by MTC Global
Certified Management Teacher by MTC GlobalCertified Management Teacher by MTC Global
Certified Management Teacher by MTC Global
 
Brochure MTC Global award nomination-2014. Closes on 31.03.2014
Brochure  MTC Global award nomination-2014. Closes on 31.03.2014Brochure  MTC Global award nomination-2014. Closes on 31.03.2014
Brochure MTC Global award nomination-2014. Closes on 31.03.2014
 
ShopperQuickCorporatePresentation
ShopperQuickCorporatePresentationShopperQuickCorporatePresentation
ShopperQuickCorporatePresentation
 
The Best Roaming
The Best RoamingThe Best Roaming
The Best Roaming
 
Shashi fluoroplastiks-mumbai
Shashi fluoroplastiks-mumbaiShashi fluoroplastiks-mumbai
Shashi fluoroplastiks-mumbai
 
D.tech u1
D.tech u1D.tech u1
D.tech u1
 

Similar to Lunch Learn - WCF Security

A presentation on WCF & REST
A presentation on WCF & RESTA presentation on WCF & REST
A presentation on WCF & RESTSanthu Rao
 
Session 1: The SOAP Story
Session 1: The SOAP StorySession 1: The SOAP Story
Session 1: The SOAP Storyukdpe
 
WCF tutorial
WCF tutorialWCF tutorial
WCF tutorialAbhi Arya
 
Top wcf interview questions
Top wcf interview questionsTop wcf interview questions
Top wcf interview questionstongdang
 
Overview of Windows Vista Devices and Windows Communication Foundation (WCF)
Overview of Windows Vista Devices and Windows Communication Foundation (WCF)Overview of Windows Vista Devices and Windows Communication Foundation (WCF)
Overview of Windows Vista Devices and Windows Communication Foundation (WCF)Jorgen Thelin
 
Interoperability and Windows Communication Foundation (WCF) Overview
Interoperability and Windows Communication Foundation (WCF) OverviewInteroperability and Windows Communication Foundation (WCF) Overview
Interoperability and Windows Communication Foundation (WCF) OverviewJorgen Thelin
 
PRIVATE CLOUD SERVER IMPLEMENTATIONS FOR DATA STORAGE
PRIVATE CLOUD SERVER IMPLEMENTATIONS FOR DATA STORAGEPRIVATE CLOUD SERVER IMPLEMENTATIONS FOR DATA STORAGE
PRIVATE CLOUD SERVER IMPLEMENTATIONS FOR DATA STORAGEEditor IJCTER
 
All About Microservices and OpenSource Microservice Frameworks
All About Microservices and OpenSource Microservice FrameworksAll About Microservices and OpenSource Microservice Frameworks
All About Microservices and OpenSource Microservice FrameworksMohammad Asif Siddiqui
 
introduction to Windows Comunication Foundation
introduction to Windows Comunication Foundationintroduction to Windows Comunication Foundation
introduction to Windows Comunication Foundationredaxe12
 
Net framework key components - By Senthil Chinnakonda
Net framework key components - By Senthil ChinnakondaNet framework key components - By Senthil Chinnakonda
Net framework key components - By Senthil Chinnakondatalenttransform
 
Java EE Connector Architecture 1.6 (JSR 322) Technology
Java EE Connector Architecture 1.6 (JSR 322) TechnologyJava EE Connector Architecture 1.6 (JSR 322) Technology
Java EE Connector Architecture 1.6 (JSR 322) TechnologySivakumar Thyagarajan
 
Building an enterprise app in silverlight 4 and NHibernate
Building an enterprise app in silverlight 4 and NHibernateBuilding an enterprise app in silverlight 4 and NHibernate
Building an enterprise app in silverlight 4 and NHibernatebwullems
 
WCF (Windows Communication Foundation)
WCF (Windows Communication Foundation)WCF (Windows Communication Foundation)
WCF (Windows Communication Foundation)ipower softwares
 

Similar to Lunch Learn - WCF Security (20)

WCF Fundamentals
WCF Fundamentals WCF Fundamentals
WCF Fundamentals
 
A presentation on WCF & REST
A presentation on WCF & RESTA presentation on WCF & REST
A presentation on WCF & REST
 
Session 1: The SOAP Story
Session 1: The SOAP StorySession 1: The SOAP Story
Session 1: The SOAP Story
 
WCF tutorial
WCF tutorialWCF tutorial
WCF tutorial
 
Top wcf interview questions
Top wcf interview questionsTop wcf interview questions
Top wcf interview questions
 
Overview of Windows Vista Devices and Windows Communication Foundation (WCF)
Overview of Windows Vista Devices and Windows Communication Foundation (WCF)Overview of Windows Vista Devices and Windows Communication Foundation (WCF)
Overview of Windows Vista Devices and Windows Communication Foundation (WCF)
 
Wcf
Wcf Wcf
Wcf
 
07 advanced topics
07 advanced topics07 advanced topics
07 advanced topics
 
Wcf development
Wcf developmentWcf development
Wcf development
 
Wcf faq
Wcf faqWcf faq
Wcf faq
 
Interoperability and Windows Communication Foundation (WCF) Overview
Interoperability and Windows Communication Foundation (WCF) OverviewInteroperability and Windows Communication Foundation (WCF) Overview
Interoperability and Windows Communication Foundation (WCF) Overview
 
PRIVATE CLOUD SERVER IMPLEMENTATIONS FOR DATA STORAGE
PRIVATE CLOUD SERVER IMPLEMENTATIONS FOR DATA STORAGEPRIVATE CLOUD SERVER IMPLEMENTATIONS FOR DATA STORAGE
PRIVATE CLOUD SERVER IMPLEMENTATIONS FOR DATA STORAGE
 
All About Microservices and OpenSource Microservice Frameworks
All About Microservices and OpenSource Microservice FrameworksAll About Microservices and OpenSource Microservice Frameworks
All About Microservices and OpenSource Microservice Frameworks
 
Day6
Day6Day6
Day6
 
introduction to Windows Comunication Foundation
introduction to Windows Comunication Foundationintroduction to Windows Comunication Foundation
introduction to Windows Comunication Foundation
 
Wcf Overview
Wcf OverviewWcf Overview
Wcf Overview
 
Net framework key components - By Senthil Chinnakonda
Net framework key components - By Senthil ChinnakondaNet framework key components - By Senthil Chinnakonda
Net framework key components - By Senthil Chinnakonda
 
Java EE Connector Architecture 1.6 (JSR 322) Technology
Java EE Connector Architecture 1.6 (JSR 322) TechnologyJava EE Connector Architecture 1.6 (JSR 322) Technology
Java EE Connector Architecture 1.6 (JSR 322) Technology
 
Building an enterprise app in silverlight 4 and NHibernate
Building an enterprise app in silverlight 4 and NHibernateBuilding an enterprise app in silverlight 4 and NHibernate
Building an enterprise app in silverlight 4 and NHibernate
 
WCF (Windows Communication Foundation)
WCF (Windows Communication Foundation)WCF (Windows Communication Foundation)
WCF (Windows Communication Foundation)
 

Lunch Learn - WCF Security

  • 2. Agenda  Introduction to WCF - What is it? Why use it? - Fundamentals and the ABCs of WCF  WCF Security Overview - Bindings
  • 4. What is WCF?  Stands for Windows Communication Foundation  One of the 4 pillars of .NET 3.0  Microsoft’s unified programming model (the service model) for building Service-Oriented Applications
  • 5. Windows Communication Foundation  WCF provides: - an SDK for creating SOA - a runtime for running Services on Windows  Services send and receive messages  All messages are SOAP messages  WCF takes care of all the plumbing Slide 4
  • 6. Why use WCF?  Interoperable and Standards based - Supports WS-* protocols  Unified Programming Model - Unifies previous models like .NET Remoting, ASMX web services, COM+ etc  Productive Programming Model - Declarative - Imperative - Configuration based Slide 5
  • 7. WCF: How does it work? SOAP (Simple Object Access Protocol) - is a protocol specification for exchanging structured information in the implementation of Web Services XML
  • 9. WCF Endpoints Every service has  Address - Where the service is  Binding - How to talk to the service  Contract - What the service can do Slide 8
  • 10. The EndPoint Anology Slide 9 Address Binding Contract
  • 11. Address  Combination of transport, server name, port & path  Transport is determined by the binding  Examples http://localhost:8001 https://localhost:8001 net.tcp://localhost:8002/MyService net.msmq://localhost/MyService Slide 10
  • 12. Bindings  Transport - HTTP/S - TCP - MSMQ  Message formats and encoding - Plain text - Binary - Message Transmission Optimization Mechanism (MTOM)  Communication security - No security - Transport security - Message security - Authenticating and authorizing callers Slide 11
  • 13. Out of the box Bindings  BasicHttpBinding  WSHttpBinding  WS2007HttpBinding  WSDualHttpBinding  WSFederationHttp Binding  WS2007FederationHttpBinding  NetTcpBinding  NetNamedPipeBinding  NetMsmqBinding  NetPeerTcpBinding  WebHttpBinding  MsmqIntegrationBinding Slide 12
  • 14. Contracts  Service contracts - Defines operations, communications and behaviors.  Data contracts - Defines data entities and parameter types.  Fault contracts - Defines error types  Message contracts - Defines message formats Slide 13
  • 15. Service Contracts  [ServiceContract] – Defines a ‘set’ of operations  [OperationContract] – Defines a single method Slide 14 [ServiceContract] public interface IService { [OperationContract] string GetData(int value); } public class ConcreteService : IService { public string GetData(int value) { ... } public string OtherMethod() { ... } }
  • 16. Data Contracts  [DataContract] – Specifies type as a data contract  [DataMember] – Members that are part of contract Slide 15 [DataContract] public class CustomType { [DataMember] public bool MyFlag { get; set; } [DataMember] public string MyString { get; set; } }
  • 17. Hosting  IIS - HTTP only - Process recycling, failover protection, common config  WAS (Windows Activation Service) - Can use any transport - Vista and Windows Server 2008 only  Self hosting - Can use any transport - Can be hosted within Console, WinForms, etc Applications  Windows Service - Can use any transport Slide 16
  • 19. WCF Security WCF Security Provides:  Authentication – Identifying the message sender  Integrity – Signed msgs to ensure not altered  Confidentiality – Encryption  Authorization – Determines functionality entitled to execute Your binding selection will influence the available configuration options for the service security policy. 18
  • 20. WCF Security  Programming WCF security is based on three steps setting the following: - the security mode - a client credential type - the credential values. 19
  • 21. WCF Binding Comparison 20 Binding Security Default Transport Protocol Encoding Default Host basicHttpBinding None, Transport, Message, Mixed HTTP Text/XML, MTOM IIS, WAS wsHttpBinding Message, Transport, Mixed HTTP Text/XML, MTOM IIS, WAS netTcpBinding Transport, Message, Mixed TCP Binary WAS netNamedPipeBin ding Transport, None Named Pipe Binary WAS netMsmqBinding Message, Transport, None TCP Binary WAS netPeerTcpBinding Transport P2P Binary -
  • 22. WCF Binding Comparison Binding Interoperability Security (Default) Session (Default) Encoding (Default) Streaming (Default) BasicHttpBinding Basic Profile 1.1 (None), Transport, Message, Mixed (None) Text, (MTOM) Yes (buffered) WSHttpBinding WS Transport, (Message), Mixed (None), Reliable Session, Security Session (Text), MTOM No WSDualHttpBinding WS (Message), None (Reliable Session), Security Session (Text), MTOM No WSFederationHttpBinding WS-Federation (Message), Mixed, None (None), Reliable Session, Security Session (Text), MTOM No NetTcpBinding .NET (Transport), Message, None, Mixed (Transport), Reliable Session, Security Session Binary Yes (buffered) NetNamedPipeBinding .NET (Transport), None None, (Transport) Binary Yes (buffered) NetMsmqBinding .NET Message, (Transport), None (None), Transport Binary No NetPeerTcpBinding Peer (Transport) (None) No MsmqIntegrationBinding MSMQ (Transport) (None) n/a No BasicHttpContextBinding Basic Profile 1.1 (None), Transport, (None) Text, (MTOM) Yes (buffered) 21
  • 23. Setting the Binding 1. Select one of the predefined bindings appropriate to your application requirements. By default, nearly every binding has security enabled. The binding you select determines the transport. For example, WSHttpBinding uses HTTP as the transport; NetTcpBinding uses TCP. <system.serviceModel> <services> <service name=“LunchLearn.TestService" > <endpoint contract="LunchLearn.ITestService“ binding="wsHttpBinding"/> </service> </services> </system.serviceModel> 22
  • 24. Setting the Security Mode 2. Select one of the security modes for the binding. Note that the binding you select determines the available mode choices You have three choices:  Transport  Message  TransportWithMessageCredential <wsHttpBinding> <binding name="wsHttp"> <security mode="Message"> <message clientCredentialType="UserName" /> </security> </binding> </wsHttpBinding> 23
  • 25. Transport  Transport security depends on the mechanism that the binding you've selected uses. For example, if you are using WSHttpBinding then the security mechanism is Secure Sockets Layer (SSL)  Pro: Generally speaking, good throughput no matter which transport you are using.  Con: Security is implemented in a hop-by-hop manner rather than end- to-end.  If you decide to use transport security for HTTP (in other words, HTTPS), you must also configure the host with an SSL certificate and enable SSL on a port. 24
  • 26. Message  Each message is encrypted Pros:  End to End Security  Because the composition of the headers varies, you can include any number of credentials for interoperability Con:  Little bit of overhead, encrypting each message. 25
  • 27. Setting the Client Credential Type  The choice of client credential type depends on the security mode in place. For transport security you can require a Windows credential or certificate  Message security supports any of the following settings for clientCredentialType:  None  Windows  UserName  Certificate  IssuedToken 26
  • 28. Setting the Client Credential Type This code snippet illustrates how to select a clientCredentialType for message security. <wsHttpBinding> <binding name="wsHttp"> <security mode="Message"> <message clientCredentialType=“Windows" algorithmSuite="TripleDes" /> </security> </binding> </wsHttpBinding> 27
  • 29. Role-Based Authorization  The identity of the caller is attached to the executing request thread in the form of a security principal, accessible through the CurrentPrincipal property. System.Threading.Thread.CurrentPrincipal Implements System.Security.Principal.Iprincipal This interface has two members:  A read-only Identity property that returns a reference to the IIdentity for the request.  When IsInRole() is invoked, it uses the configured RoleProvider to check if this identity is in the specified role. 28
  • 30. Role-Based Authorization Using the PrincipalPermission Object  Is the user authenticated?  Is the user in a particular role?  Is a particular user calling? [PrincipalPermission (SecurityAction.Demand, Role = "Administrators")] public string AdminsOnly() { // protected code } public string AdminsOnly() { // unprotected code PrincipalPermission p = new PrincipalPermission(null, "Administrators"); p.Demand(); // protected code } 29
  • 31. Claims-Based Identity Model  The identity model in WCF supports a rich, claims-based approach to authorization. Can add a welcome layer of granularity.  Claims can be proof of possession of information such as an e-mail address, birth date, or first and last name.  Custom claims can be created to indicate the ability to access specific business entities or their storage location. 30
  • 32. Claims-Based Identity Model ServiceSecurityContext security = OperationContext.Current.ServiceSecurityContext; string user = security.PrimaryIdentity.Name; string email = null; IEnumerable<Claim> claims = security.AuthorizationContext.ClaimSets[0].FindClaims( ClaimTypes.Email,Rights.PossessProperty); foreach (Claim c in claims) { email = c.Resource as string; } if (string.IsNullOrEmpty(user) || email == null) throw new SecurityException( "Unauthorized access. Email claim not found."); 31
  • 34. Impersonation  When Windows credentials are used, the service can be configured to impersonate callers so that the request thread operates under the impersonated Windows token. [OperationBehavior(Impersonation = ImpersonationOption.Allowed)] public string DoSomething() { ... }  ImpersonationOption.NotAllowed. The caller will not be impersonated.  ImpersonationOption.Allowed. The caller will be impersonated if a Windows credential is provided.  ImpersonationOption.Required. The caller will be impersonated and a Windows credential must be provided to support this. 33
  • 35. Impersonation You can also set this for all operations by declaratively <behaviors> <serviceBehaviors> <behavior name="serviceBehavior"> <serviceAuthorization impersonateCallerForAllOperations=“true"/> </behavior> </serviceBehaviors> </behaviors> 34
  • 36. Summary Which binding to use:  WSHttpBinding – Default security for message encryption  BasicHttpBinding  NetMsmqBinding
  • 37. Questions? Slide 36 Slides re-used from http://blogesh.wordpress.com/2009/02/11/wcf- presentation-slides/
  • 38. RSM McGladrey, Inc. 80 City Square Boston, MA 02129 www.mcgladrey.com