Internet – Web to Remote WCF Using Message Security (Original Caller)
2011-01-18 13:13
531 查看
Internet – Web to Remote WCF Using Message Security (Original Caller)
- J.D. Meier, Jason Taylor
, Prashant Bansode
, Carlos Farre, Madhu Sundararajan, Steve Gregersen
Applies To
WCF 3.5Scenario
In this scenario, your users do not have Windows accounts and use a webclient to connect over the Internet to an ASP.NET application on an IIS
server. The business logic called by the WCF service requires
fine-grained authorization and is backed by a SQL Server data store. The
basic model for this application scenario is shown in the following
figure.
Key Characteristics
This scenario applies to you if:Your users have web clients
Your user accounts are stored in SQL
Your user roles are stored in SQL
The business logic behind your WCF service requires fine-grained authorization
Your application transmits sensitive data over the network that needs to be protected
A high performance connection between the ASP.NET application and
the WCF service is more important than the ability to host the WCF
service in IIS
Solution
Solution Summary Table
In this solution you will:Use username and password to authenticate users against the SQL Server Membership Provider
Impersonate the original caller when calling methods on the WCF service from the ASP.NET application
Use a service account to call the SQL Server from WCF
Use SSL to protect sensitive data between the web client and IIS
Use message security to protect sensitive data between the ASP.NET application and the WCF service
Use netTcpBinding to support the TCP transport for improved performance
Host WCF in a Windows Service since IIS does not support the TCP transport
Web Server
What | Checks | Example | More Info |
---|---|---|---|
IIS | |||
Configuration | A dedicated application pool is created and configured to run under a custom service account. | Use a domain account if possible. | |
The web application is configured to run under the service account. | Assign the web application to the custom application pool. | ||
Authentication | The IIS virtual directory is configured to use Anonymous access. | Users will be allowed to access pages and if required will be redirected to forms authentication page. | |
ASP.NET | |||
Configuration | Aspnet database is created to be used with SQL Membership Provider and SQL Role provider. | aspnetregsql -S ./SQLExpress -E -A r m | Aspnetregsql.exe creates the sql database to store the user and role information. |
Connection string configured to point to the user and role store in SQL Server. | <add name="MyLocalSQLServer" connectionString="Initial Catalog=aspnetdb;data source=localhost;Integrated Security=SSPI;" /> | The database connection string includes Integrated Security=SSPI or Trusted Connection=Yes for Windows authentication. | |
Web Application process identity is given access permissions on the ASPNET database. | spgrantlogin 'NT AUTHORITY/Network Service'; USE aspnetdb GO sp grantdbaccess 'NT AUTHORITY/Network Service', 'Network Service'; spaddrolemember 'aspnet MembershipFullAccess', 'Network Service'; sp addrolemember 'aspnetRoles FullAccess', 'Network Service' | Your Web Application process identity requires access to the Aspnetdb database. If you host the Web Application in Internet Information Services (IIS) 6.0 on Microsoft Windows Server® 2003, the NT AUTHORITY/Network Service account is used by default to run the Web Application. | |
Authentication | ASP.NET is configured for Forms authentication | <authentication mode = "Forms" > | The web application will authenticate the users. |
SqlMembershipProvider is configured to use with Membership feature for forms authentication | <add name="MySqlMembershipProvider" connectionStringName="MyLocalSQLServer" type="System.Web.Security.SqlMembershipProvider, ..." ... /> | The membership feature helps protect credentials, can enforce strong passwords, and provides consistent APIs for user validation and secure user management. The membership feature also automatically creates the authentication ticket for you. | |
Authorization | Role Manager feature is enabled and SqlRoleProvider is configured for roles authorization. | <roleManager enabled="true" defaultProvider="MySqlRoleProvider" > <providers> <add name="MySqlRoleProvider" connectionStringName="MyLocalSQLServer" applicationName="MyAppName" type="System.Web.Security.SqlRoleProvider" /> </providers> </roleManager> | Role manager feature allows you to look up users' roles without writing and maintaining code. Additionally, the role providers offer a consistent way for you to check the role membership of your users, regardless of the underlying data store. |
Use URL authorization to control access to pages and folders | <authorization> <allow roles="Manager" /> <deny users="*" /> </authorization> | The authorized users have access to specific pages | |
Role-checks are performed using role manager APIs | Roles.IsUserInRole("TestRole")... | ||
WCF Proxy | |||
ASP.NET has a proxy reference to the WCF service. | The application has access to the WCF metadata to create a service reference. | ||
Root CA certificate for the service is installed in “Trusted Root Certification Authorities” | All certificates that are signed with this certificate will be trusted by the client machine. | ||
Proxy invokes services with the security context of service account and passes user credentials for to WCF service | WCFTestService.ServiceClient myService = new WCFTestService.ServiceClient(); myService.ClientCredentials.UserName.UserName = "username"; myService.ClientCredentials.UserName.Password = "p@ssw0rd"; myService.GetData(123); myService.Close(); | A proxy will invoke a WCF method within the service contained on the application server using the Service Accounts security context. |
Application Server
What | Checks | Example | More Info |
---|---|---|---|
Windows Service | |||
Configuration | Windows Service is configured to run under a custom domain service account | Use a domain account if possible. | |
WCF service is hosted in a Windows Service. | |||
WCF Service | |||
Configuration | Connection string configured to point to the user and role store in SQL Server. | <add name="MyLocalSQLServer" connectionString="Initial Catalog=aspnetdb;data source=localhost;Integrated Security=SSPI;" /> | The database connection string includes Integrated Security=SSPI or Trusted Connection=Yes for Windows authentication. |
WCF Service process identity is given access permissions on the ASPNET database. | spgrantlogin '<<Custom Service Account>>'; USE aspnetdb GO sp grantdbaccess '<<Custom Service Account>>', '<<Custom Service Account>>'; spaddrolemember 'aspnet MembershipFullAccess', '<<Custom Service Account>>'; sp addrolemember 'aspnetRoles FullAccess', '<<Custom Service Account >>’ | Your WCF service process identity requires access to the Aspnetdb database. | |
WCF Service is configured to use netTcpBinding binding | <endpoint address="" binding="netTcpBinding" bindingConfiguration="" name="" contract="WCFHostService.IMyService"/> | The NetTcpBinding uses the TCP protocol and provides full support for SOAP security, transactions, and reliability. As client and WCF service both are in intranet this is a good choice from performance perspective. | |
A mex endpoint is created for publishing the metadata | <endpoint address="Mex" binding="mexTcpBinding" bindingConfiguration="" name="MexEndpoint" contract="IMetadataExchange"/> | This is required so that client can add reference to the WCF Service using SvcUtil utility. | |
Authentication | The netTcpBinding is configured to use Username Authentication and Message security. | ... <netTcpBinding> <binding name="NetTcpBindingEndpointConfig"> <security mode="Message"> <message clientCredentialType="UserName"/> </security> </binding> </netTcpBinding> | |
SqlMembershipProvider is configured to use with Username authentication | <add name="MySqlMembershipProvider" connectionStringName="MyLocalSQLServer" type="System.Web.Security.SqlMembershipProvider, ..." ... /> | The membership feature automatically authenticates and creates the authentication ticket for you. | |
Service behavior is configured to use membership provider for using with username authentication. | <behaviors> <serviceBehaviors> <behavior name="ServiceBehavior"> ... <serviceCredentials> <userNameAuthentication userNamePasswordValidationMode="MembershipProvider" membershipProviderName="MySqlMembershipProvider" /> </serviceCredentials> ... </behavior> </serviceBehaviors> </behaviors> | ||
Service certificate is installed on the WCF Service machine. The service behavior is configured to use the service certificate. | ... <behaviors> <serviceBehaviors> <behavior name="ServiceBehavior"> <serviceCredentials> <serviceCertificate findValue="CN=tempCert" /> ... </serviceCredentials> </behavior> </serviceBehaviors> </behaviors> ... | This is required for protecting the user credentials in the message. | |
Authorization | Role Manager feature is enabled and SqlRoleProvider is configured for roles authorization. | <roleManager enabled="true" defaultProvider="MySqlRoleProvider" > <providers> <add name="MySqlRoleProvider" connectionStringName="MyLocalSQLServer" applicationName="MyAppName" type="System.Web.Security.SqlRoleProvider" /> </providers> </roleManager> | Role manager feature allows you to look up users' roles without writing and maintaining code. Additionally, the role providers offer a consistent way for you to check the role membership of your users, regardless of the underlying data store. |
WCF Operations are configured to do role checks. Role checks can be done either declaratively or imperatively | [PrincipalPermission(SecurityAction.Demand, Role="Managers")] | Use imperative check to do fine grain role check, avoiding the demand on the entire method execution | |
SQL | The connection string for database is configured to use windows authentication | The database connection string includes Integrated Security=SSPI or Trusted Connection=Yes | |
Database connection is opened using the WCF process identity’s security context. |
Database Server
What | Check | Example | More Info |
---|---|---|---|
Configuration | A SQL Server login is created for the WCF’s service account (process identity). | ||
The login is mapped to a database user for the Web application. | |||
Authentication | SQL Server is configured to use Windows authentication. | ||
Authorization | The database user is placed in a database role for the WCF service. | SQL Server authorizes the role rather than the user login. | |
Database permissions are granted to the database role. | Only grants execute permissions on necessary stored procedures. |
Communication Security
What | Check | Example | More Info |
---|---|---|---|
Browser to Web Server | SSL is used between browser and Web server to protect sensitive data on the wire. | Certificate will need to be installed in the Web site. The virtual directory of the web application will need to be configured to use SSL | |
App server to Database | IPSec or SSL can be used between App server and database server to protect sensitive data on the wire. |
Contributors and Reviewers
External Contributors and Reviewers:Microsoft Consulting Services and PSS Contributors and Reviewers:
Test team:
Rohit Sharma, Chaitanya Bijwe, Parameswaran Vaideeswaran.
Edit team:
Dennis Rea.
SEO team:
Rob Boucher.
相关文章推荐
- Internet – Web to Remote WCF Using Message Security (Original Caller)
- A problem displaying [localhost] caused Internet Explorer to refresh the webpage using Compatibility
- using web services core framework and CFNetwork to access remote soap service
- Writing BizTalk context properties to a message from a WCF service using behaviors
- using WebRequest to get resource in the internet
- Using netconsole to get remote trace message
- Webcam Web Service using Direct Internet Message Encapsulation (DIME)
- Deploy web application to remote machine using package
- How to Configure an SSIS Package to Access a Web Service using WCF
- How to Uninstall Ad-Aware Free Internet Security
- python运行时提示WebDriverException: Message: 'geckodriver' executable needs to be in PATH.
- Coursera Using python to access Web data quiz 4
- How to secure remote desktop connections using TLS/SSL
- WCF分布式开发常见错误(27):Secure channel cannot be opened because security negotiation with the remote endpoint has failed
- On the Way to the Web: The Secret History of the Internet and Its Founders
- Essential Computer Security: Everyone's Guide to Email, Internet, and Wireless Security [ILLUSTRATED
- 7 Simple Steps to Connect SQL Server using WCF from SilverLight
- Quick Tip: Using Web Inspector to Debug Mobile Safari
- Python for Everybody-Using Python to Access Web DatExtracting Data With Regular Expressions
- Spring Security Filter Chain Registration Using WebApplicationInitializer for Servlet 3.x