WCF 4 Step By Step Chapter 4 Note (Transport and Message Security + Authentication in Organization)
2012-03-17 19:53
519 查看
When building Web services, you can perform authenticationand encryption at two points when sending and receiving messages: at the transport leveland at the message level.
Transport-Level Security
Transport-level authentication is typically implemented atthe operating system level. A service can specify the type of credentials it requires,but it is the operating system’s
responsibility to ensure that the correct credentials areprovided and to validate them.
Many communications protocols can encrypt and decrypt dataas it is sent and received.
-HTTPS
-SecureSockets Layer (SSL) to encrypt and decrypt data by using keys provided incertificates.
-Becauseall this happens at the transport level, it is transparent to the client application and service;
-TCPprotocol
-TransportLayer Security (TLS),the TCP bindings in WCF make use ofTLS automatically.
-Namedpipes also support transport-level security but not message-level security.
Message-Level Security
-they encrypt and decrypt messages themselves using anagreed encryption algorithm and a negotiated set of encryption keys.Standardssuch
as the WS-Security specificationfrom OASIS describe the message-level security schemes that many Web services
implementations have adopted.
Transport-Level Security vs. Message-Level Security
Transport-level security has the advantage overmessage-level security in that it can often rely on hardware support and can be very efficient—encrypting anddecrypting data can be a resource-intensive process, so anything
that improves performance is very welcome. Additionally, transport-level authentication checks are enforced beforethe client application actually starts sending application-level messages, so performing authentication at this leveldetects
authentication failures more quickly and with less networkoverhead.
The primary disadvantage of transport-level security is that it operates on apoint-to-point basis; by the time the service receives
a message, it hasa lready been decrypted by the underlying transport mechanism. In a situation where a service shouldsimply forward a message on to another service rather than process it, theintermediate service has full access to the message contents, meaning
that the service could modify the message or extract confidential information before forwarding it. Using message-levelencryption can help to mitigate this problem.Message-level security provides
end-to-end encryption.
Implementing Security in a Windows Domain
1)Protecting a TCP Service at the Message Level
**Configure Message Tracing for the WCF Service
-LogEntireMessage
-LogMessagesAtServiceLevel
-LogMessagesAtTransportLevel
Verification: In ServiceTrace Viewer
-<e:CipherValue>element contains the data for the request
Code Hint (Service Configuration)
2)Protecting an HTTP Service at the Transport Level
**Configurethe WCF HTTP Endpoint with an
SSL Certificate
-Addcertificate:makecert -sr LocalMachine -ss My -n CN=HTTPS-Server -sky exchange-sk HTTPS-Key
-Bindsthe certificate with the thumbprint to the port:netsh http add sslcertipport=0.0.0.0:8000 certhash=82e8568ba2689c24db66d392e06c6995f19afdc9appid={00112233-4455-6677-8899-AABBCCDDEEFF}
3)Protecting an HTTP Service at the Message Level
-BasicHttpBinding. In this mode, the service uses SOAP messagelevel security to encrypt the message. Theservice must have a certificate installed, and the client uses the public keyfrom the
service’s certificate to perform the encryption. The service can sendthe certificate containing its public key at the start of the message exchangeor an administrator can install the service certificate on the client computerbefore the client application.
-If youreally want to implement message-level security for a WCF service with theminimum of fuss and configuration, you can opt to use theWS2007HttpBindingbinding.The
WS2007Http Binding binding conforms to the current WS-*specificationsand follows the WS-Security
specification for encrypting messages and authenticatingusers by default.
4)Authenticating Windows Users
Authenticate a user when the client application and serviceare both running within the same Windows domain
-Basicauthentication:Basic authentication is a good solution if the user running theclient application is not currently logged in to the security domain used by the service.However,
if the user is logged in to the domain, you can make use of Windows IntegratedSecurity to provide the user’scredentials automatically, rather than prompting the userfor them again
Note:if you are implementing Basic authentication, user names and passwords are not encrypted at the message level, so WCF insists that you configure the underlying transportto
provide encryption to prevent the credential details from being transmitted across an opennetwork as clear text.
Code:
ProductsServiceClient proxy = new
ProductsServiceClient("BasicHttpBinding_IProductsService");
proxy.ClientCredentials.UserName.UserName = "Domain\\UserName";
proxy.ClientCredentials.UserName.Password ="Password";
Configuration Service:
-Windows Integrated Security
Configuration Service:
5)Authorizing Users
6)Using Impersonation to Access Resources
By default, the service will attempt to gain access to theseresources by using its own credentials(service hosted account).When
usingWindows authentication, it is possible to specify that the WCF service shouldaccess resources by using the authenticated identity of the user instead(client account).
Using impersonation gives an administrator fine-grainedcontrol over the ability of a WCF service to read or write possibly sensitive information and can provide an additionaldegree of security—just because the user can connect to the WCF service, theymight
not be able to perform operations that retrieve or modify confidentialdata unless the administrator has explicitly granted the user access to thisdata.
Summary
if you are deploying services that are accessible
inside anorganization you can use the NetTcpBinding or NetNamedPipeBinding
bindings and implement transport-level security. However, if a service is intended to be accessible both inside an organization andexternally, you may choose to provide
a NetTcpBinding binding and a binding based onthe HTTP protocol (either theBasicHttpBinding or WS2007HttpBinding binding), andimplement
either transport-level or message-level security, depending on the requirements ofyour service and the need to maintain compatibility with existing client applications and services.If you are building a WCF service that must be compatible with client
applications andservices thatconform to the Basic Profile 1.1, you should use the BasicHttpBindingbindingand configure it to use Basic authentication over transport-level security ifauthentication is required.
If you need to build a service that conforms to the requirements of theWS-Security specification, you should use the WS2007HttpBinding binding and configure message-levelsecurity.
Transport-Level Security
Transport-level authentication is typically implemented atthe operating system level. A service can specify the type of credentials it requires,but it is the operating system’s
responsibility to ensure that the correct credentials areprovided and to validate them.
Many communications protocols can encrypt and decrypt dataas it is sent and received.
-HTTPS
-SecureSockets Layer (SSL) to encrypt and decrypt data by using keys provided incertificates.
-Becauseall this happens at the transport level, it is transparent to the client application and service;
-TCPprotocol
-TransportLayer Security (TLS),the TCP bindings in WCF make use ofTLS automatically.
-Namedpipes also support transport-level security but not message-level security.
Message-Level Security
-they encrypt and decrypt messages themselves using anagreed encryption algorithm and a negotiated set of encryption keys.Standardssuch
as the WS-Security specificationfrom OASIS describe the message-level security schemes that many Web services
implementations have adopted.
Transport-Level Security vs. Message-Level Security
Transport-level security has the advantage overmessage-level security in that it can often rely on hardware support and can be very efficient—encrypting anddecrypting data can be a resource-intensive process, so anything
that improves performance is very welcome. Additionally, transport-level authentication checks are enforced beforethe client application actually starts sending application-level messages, so performing authentication at this leveldetects
authentication failures more quickly and with less networkoverhead.
The primary disadvantage of transport-level security is that it operates on apoint-to-point basis; by the time the service receives
a message, it hasa lready been decrypted by the underlying transport mechanism. In a situation where a service shouldsimply forward a message on to another service rather than process it, theintermediate service has full access to the message contents, meaning
that the service could modify the message or extract confidential information before forwarding it. Using message-levelencryption can help to mitigate this problem.Message-level security provides
end-to-end encryption.
Implementing Security in a Windows Domain
1)Protecting a TCP Service at the Message Level
**Configure Message Tracing for the WCF Service
-LogEntireMessage
-LogMessagesAtServiceLevel
-LogMessagesAtTransportLevel
Verification: In ServiceTrace Viewer
-<e:CipherValue>element contains the data for the request
Code Hint (Service Configuration)
<netTcpBinding> <binding name="ProductsServiceTcpBindingConfig"> <security mode="Message"> <message algorithmSuite="Basic128" /> </security> </binding> </netTcpBinding>
2)Protecting an HTTP Service at the Transport Level
**Configurethe WCF HTTP Endpoint with an
SSL Certificate
-Addcertificate:makecert -sr LocalMachine -ss My -n CN=HTTPS-Server -sky exchange-sk HTTPS-Key
-Bindsthe certificate with the thumbprint to the port:netsh http add sslcertipport=0.0.0.0:8000 certhash=82e8568ba2689c24db66d392e06c6995f19afdc9appid={00112233-4455-6677-8899-AABBCCDDEEFF}
3)Protecting an HTTP Service at the Message Level
-BasicHttpBinding. In this mode, the service uses SOAP messagelevel security to encrypt the message. Theservice must have a certificate installed, and the client uses the public keyfrom the
service’s certificate to perform the encryption. The service can sendthe certificate containing its public key at the start of the message exchangeor an administrator can install the service certificate on the client computerbefore the client application.
-If youreally want to implement message-level security for a WCF service with theminimum of fuss and configuration, you can opt to use theWS2007HttpBindingbinding.The
WS2007Http Binding binding conforms to the current WS-*specificationsand follows the WS-Security
specification for encrypting messages and authenticatingusers by default.
4)Authenticating Windows Users
Authenticate a user when the client application and serviceare both running within the same Windows domain
-Basicauthentication:Basic authentication is a good solution if the user running theclient application is not currently logged in to the security domain used by the service.However,
if the user is logged in to the domain, you can make use of Windows IntegratedSecurity to provide the user’scredentials automatically, rather than prompting the userfor them again
Note:if you are implementing Basic authentication, user names and passwords are not encrypted at the message level, so WCF insists that you configure the underlying transportto
provide encryption to prevent the credential details from being transmitted across an opennetwork as clear text.
Code:
ProductsServiceClient proxy = new
ProductsServiceClient("BasicHttpBinding_IProductsService");
proxy.ClientCredentials.UserName.UserName = "Domain\\UserName";
proxy.ClientCredentials.UserName.Password ="Password";
Configuration Service:
<basicHttpBinding> <bindingname="ProductsServiceBasicHttpBindingConfig"> <securitymode="Transport"> <transport clientCredentialType="Basic" /> </security> </binding> </basicHttpBinding>
-Windows Integrated Security
Configuration Service:
<basicHttpBinding> <bindingname="ProductsServiceBasicHttpBindingConfig"> <securitymode="Transport"> <transport clientCredentialType="Windows" /> </security> </binding> </basicHttpBinding>
5)Authorizing Users
6)Using Impersonation to Access Resources
By default, the service will attempt to gain access to theseresources by using its own credentials(service hosted account).When
usingWindows authentication, it is possible to specify that the WCF service shouldaccess resources by using the authenticated identity of the user instead(client account).
Using impersonation gives an administrator fine-grainedcontrol over the ability of a WCF service to read or write possibly sensitive information and can provide an additionaldegree of security—just because the user can connect to the WCF service, theymight
not be able to perform operations that retrieve or modify confidentialdata unless the administrator has explicitly granted the user access to thisdata.
[PrincipalPermission(SecurityAction.Demand,Role="WarehouseStaff")] [OperationBehavior(Impersonation=ImpersonationOption.Required)] public List<string> ListProducts { ... }
Summary
if you are deploying services that are accessible
inside anorganization you can use the NetTcpBinding or NetNamedPipeBinding
bindings and implement transport-level security. However, if a service is intended to be accessible both inside an organization andexternally, you may choose to provide
a NetTcpBinding binding and a binding based onthe HTTP protocol (either theBasicHttpBinding or WS2007HttpBinding binding), andimplement
either transport-level or message-level security, depending on the requirements ofyour service and the need to maintain compatibility with existing client applications and services.If you are building a WCF service that must be compatible with client
applications andservices thatconform to the Basic Profile 1.1, you should use the BasicHttpBindingbindingand configure it to use Basic authentication over transport-level security ifauthentication is required.
If you need to build a service that conforms to the requirements of theWS-Security specification, you should use the WS2007HttpBinding binding and configure message-levelsecurity.
相关文章推荐
- WCF 4 Step By Step Chapter 5 Note (Authentication in Internet)
- WCF 4 Step By Step Chapter 7 Note(Maintaining State and Sequencing Operations)
- WCF 4 Step By Step Chapter 6 Note (Maintaining Service Contracts and Data Contracts)
- WCF 4 Step By Step Chapter 1,2 Note
- WCF 4 Step By Step Chapter 10-12 Note (Reliable Sessions,ProgrammaticallyControlling, One-Way ...)
- WCF 4 Step By Step Chapter 9 Note (Transaction)
- Create and Install Temporary Certificates in WCF for Message Security During Development
- WCF transport-and-message-security
- WCF 4 Step By Step Chapter 15 Note(Building REST Services)
- WCF 4 Step By Step Chapter 3 Note (Fault Handling)
- Step by Step WCF—Operaton and Calls
- C# 2012 step by step 学习笔记8 CHAPTER 9 Creating Value types with enumerations and Structures
- Creating CustomBinding for WCFBasicHTTP for SSL and BasicAuthentication in BizTalk 转载自:http://geekswithblogs.net/mipsen
- Step By Step - Using Silverlight to Access a WCF Service Hosted In a Console Application
- Error in WCF client consuming Axis 2 web service with WS-Security UsernameToken PasswordDigest authentication scheme
- [转载]Step By Step - Using Silverlight to Access a WCF Service Hosted In a Console Application
- WCF:The caller was not authenticated by the service. ---> System.ServiceModel.FaultException: The request for security token could not be satisfied because authentication failed.
- New in WCF 4.0 Note & Filters for Message Logging Note
- Step by Step Configuring Forms Based Authentication in SharePoint 2013
- Difference between datacontract and messagecontract in wcf