lunch learn - wcf security
TRANSCRIPT
![Page 1: Lunch Learn - WCF Security](https://reader034.vdocument.in/reader034/viewer/2022050808/55a8dbb81a28abb93e8b47f0/html5/thumbnails/1.jpg)
By Paul Senatillaka
WCF Security
![Page 2: Lunch Learn - WCF Security](https://reader034.vdocument.in/reader034/viewer/2022050808/55a8dbb81a28abb93e8b47f0/html5/thumbnails/2.jpg)
Agenda
Introduction to WCF
- What is it? Why use it?
- Fundamentals and the ABCs of WCF
WCF Security Overview
- Bindings
![Page 3: Lunch Learn - WCF Security](https://reader034.vdocument.in/reader034/viewer/2022050808/55a8dbb81a28abb93e8b47f0/html5/thumbnails/3.jpg)
Introduction to WCF
Slide 2
![Page 4: Lunch Learn - WCF Security](https://reader034.vdocument.in/reader034/viewer/2022050808/55a8dbb81a28abb93e8b47f0/html5/thumbnails/4.jpg)
What is WCF?
Stands for Windows Communication Foundation
One of the 4 pillars of .NET 3.0
Microsoft’s unified programming model (the service model) for building Service-Oriented Applications
![Page 5: Lunch Learn - WCF Security](https://reader034.vdocument.in/reader034/viewer/2022050808/55a8dbb81a28abb93e8b47f0/html5/thumbnails/5.jpg)
Windows Communication Foundation
WCF provides:
- an SDK for creating SOA
- a runtime for running Services on Windows
Services send and receive messages
All messages are SOAP messages
WCF takes care of all the plumbing
Slide 4
![Page 6: Lunch Learn - WCF Security](https://reader034.vdocument.in/reader034/viewer/2022050808/55a8dbb81a28abb93e8b47f0/html5/thumbnails/6.jpg)
Why use WCF?
Interoperable and Standards based
- Supports WS-* protocols
Unified Programming Model
- Unifies previous models like .NET Remoting, ASMX web services, COM+
etc
Productive Programming Model
- Declarative
- Imperative
- Configuration based
Slide 5
![Page 7: Lunch Learn - WCF Security](https://reader034.vdocument.in/reader034/viewer/2022050808/55a8dbb81a28abb93e8b47f0/html5/thumbnails/7.jpg)
WCF: How does it work?
SOAP (Simple Object Access Protocol) - is a protocol specification for
exchanging structured information in the implementation of Web Services
XML
![Page 8: Lunch Learn - WCF Security](https://reader034.vdocument.in/reader034/viewer/2022050808/55a8dbb81a28abb93e8b47f0/html5/thumbnails/8.jpg)
WCF End points
![Page 9: Lunch Learn - WCF Security](https://reader034.vdocument.in/reader034/viewer/2022050808/55a8dbb81a28abb93e8b47f0/html5/thumbnails/9.jpg)
WCF Endpoints
Every service has
Address
- Where the service is
Binding
- How to talk to the service
Contract
- What the service can do
Slide 8
![Page 10: Lunch Learn - WCF Security](https://reader034.vdocument.in/reader034/viewer/2022050808/55a8dbb81a28abb93e8b47f0/html5/thumbnails/10.jpg)
The EndPoint Anology
Slide 9
Address Binding Contract
![Page 11: Lunch Learn - WCF Security](https://reader034.vdocument.in/reader034/viewer/2022050808/55a8dbb81a28abb93e8b47f0/html5/thumbnails/11.jpg)
Address
Combination of transport, server name, port & path
Transport is determined by the binding
Examples
http://localhost:8001
https://localhost:8001
net.tcp://localhost:8002/MyService
net.msmq://localhost/MyService
Slide 10
![Page 12: Lunch Learn - WCF Security](https://reader034.vdocument.in/reader034/viewer/2022050808/55a8dbb81a28abb93e8b47f0/html5/thumbnails/12.jpg)
Bindings
Transport
- HTTP/S
- TCP
- MSMQ
Message formats and encoding
- Plain text
- Binary
- Message Transmission Optimization Mechanism (MTOM)
Communication security
- No security
- Transport security
- Message security
- Authenticating and authorizing callers
Slide 11
![Page 13: Lunch Learn - WCF Security](https://reader034.vdocument.in/reader034/viewer/2022050808/55a8dbb81a28abb93e8b47f0/html5/thumbnails/13.jpg)
Out of the box Bindings
BasicHttpBinding
WSHttpBinding
WS2007HttpBinding
WSDualHttpBinding
WSFederationHttp
Binding
WS2007FederationHttpBinding
NetTcpBinding
NetNamedPipeBinding
NetMsmqBinding
NetPeerTcpBinding
WebHttpBinding
MsmqIntegrationBinding
Slide 12
![Page 14: Lunch Learn - WCF Security](https://reader034.vdocument.in/reader034/viewer/2022050808/55a8dbb81a28abb93e8b47f0/html5/thumbnails/14.jpg)
Contracts
Service contracts
- Defines operations, communications and behaviors.
Data contracts
- Defines data entities and parameter types.
Fault contracts
- Defines error types
Message contracts
- Defines message formats
Slide 13
![Page 15: Lunch Learn - WCF Security](https://reader034.vdocument.in/reader034/viewer/2022050808/55a8dbb81a28abb93e8b47f0/html5/thumbnails/15.jpg)
Service Contracts
[ServiceContract] – Defines a ‘set’ of operations
[OperationContract] – Defines a single method
Slide 14
[ServiceContract]public interface IService{
[OperationContract]string GetData(int value);
}
public class ConcreteService : IService{
public string GetData(int value){ ... }
public string OtherMethod(){ ... }
}
![Page 16: Lunch Learn - WCF Security](https://reader034.vdocument.in/reader034/viewer/2022050808/55a8dbb81a28abb93e8b47f0/html5/thumbnails/16.jpg)
Data Contracts
[DataContract] – Specifies type as a data contract
[DataMember] – Members that are part of contract
Slide 15
[DataContract]public class CustomType{
[DataMember]public bool MyFlag { get; set; }
[DataMember]public string MyString { get; set; }
}
![Page 17: Lunch Learn - WCF Security](https://reader034.vdocument.in/reader034/viewer/2022050808/55a8dbb81a28abb93e8b47f0/html5/thumbnails/17.jpg)
Hosting
IIS
- HTTP only
- Process recycling, failover protection, common config
WAS (Windows Activation Service)
- Can use any transport
- Vista and Windows Server 2008 only
Self hosting
- Can use any transport
- Can be hosted within Console, WinForms, etc Applications
Windows Service
- Can use any transport
Slide 16
![Page 18: Lunch Learn - WCF Security](https://reader034.vdocument.in/reader034/viewer/2022050808/55a8dbb81a28abb93e8b47f0/html5/thumbnails/18.jpg)
WCF Security Overview
Slide 17
![Page 19: Lunch Learn - WCF Security](https://reader034.vdocument.in/reader034/viewer/2022050808/55a8dbb81a28abb93e8b47f0/html5/thumbnails/19.jpg)
WCF Security
WCF Security Provides:
Authentication – Identifying the message sender
Integrity – Signed msgs to ensure not altered
Confidentiality – Encryption
Authorization – Determines functionality entitled to execute
Your binding selection will influence the available configuration
options for the service security policy.
18
![Page 20: Lunch Learn - WCF Security](https://reader034.vdocument.in/reader034/viewer/2022050808/55a8dbb81a28abb93e8b47f0/html5/thumbnails/20.jpg)
WCF Security
Programming WCF security is based on three steps setting the
following:
- the security mode
- a client credential type
- the credential values.
19
![Page 21: Lunch Learn - WCF Security](https://reader034.vdocument.in/reader034/viewer/2022050808/55a8dbb81a28abb93e8b47f0/html5/thumbnails/21.jpg)
WCF Binding Comparison
20
Binding SecurityDefault
Transport Protocol
EncodingDefault
Host
basicHttpBinding None,Transport, Message,
Mixed
HTTP Text/XML, MTOM IIS, WAS
wsHttpBinding Message, Transport, Mixed
HTTP Text/XML, MTOM IIS, WAS
netTcpBinding Transport, Message, Mixed
TCP Binary WAS
netNamedPipeBinding
Transport, None Named Pipe Binary WAS
netMsmqBinding Message, Transport, None
TCP Binary WAS
netPeerTcpBinding Transport P2P Binary -
![Page 22: Lunch Learn - WCF Security](https://reader034.vdocument.in/reader034/viewer/2022050808/55a8dbb81a28abb93e8b47f0/html5/thumbnails/22.jpg)
WCF Binding Comparison
Binding Interoperability Security
(Default)
Session (Default) Encoding
(Default)
Streaming
(Default)
BasicHttpBinding Basic Profile 1.1 (None),
Transport,
Message, Mixed
(None) Text, (MTOM) Yes
(buffered)
WSHttpBinding WS Transport,
(Message),
Mixed
(None), Reliable
Session, Security
Session
(Text), MTOM No
WSDualHttpBinding WS (Message),
None
(Reliable Session),
Security Session
(Text), MTOM No
WSFederationHttpBinding WS-Federation (Message),
Mixed, None
(None), Reliable
Session, Security
Session
(Text), MTOM No
NetTcpBinding .NET (Transport),
Message, None,
Mixed
(Transport), Reliable
Session, Security
Session
Binary Yes
(buffered)
NetNamedPipeBinding .NET (Transport),
None
None, (Transport) Binary Yes
(buffered)
NetMsmqBinding .NET Message,
(Transport),
None
(None), Transport Binary No
NetPeerTcpBinding Peer (Transport) (None) No
MsmqIntegrationBinding MSMQ (Transport) (None) n/a No
BasicHttpContextBinding Basic Profile 1.1 (None),
Transport,
Message, Mixed
(None) Text, (MTOM) Yes
(buffered)21
![Page 23: Lunch Learn - WCF Security](https://reader034.vdocument.in/reader034/viewer/2022050808/55a8dbb81a28abb93e8b47f0/html5/thumbnails/23.jpg)
Setting the Binding
1. Select one of the predefined bindings appropriate to your application
requirements.
By default, nearly every binding has security enabled.
The binding you select determines the transport. For
example, WSHttpBinding uses HTTP as the
transport; NetTcpBinding uses TCP.
<system.serviceModel>
<services>
<service name=“LunchLearn.TestService" >
<endpoint contract="LunchLearn.ITestService“ binding="wsHttpBinding"/>
</service>
</services>
</system.serviceModel>
22
![Page 24: Lunch Learn - WCF Security](https://reader034.vdocument.in/reader034/viewer/2022050808/55a8dbb81a28abb93e8b47f0/html5/thumbnails/24.jpg)
Setting the Security Mode
2. Select one of the security modes for the binding. Note that the binding
you select determines the available mode choices
You have three choices:
Transport
Message
TransportWithMessageCredential
<wsHttpBinding>
<binding name="wsHttp">
<security mode="Message">
<message clientCredentialType="UserName" />
</security>
</binding>
</wsHttpBinding>
23
![Page 25: Lunch Learn - WCF Security](https://reader034.vdocument.in/reader034/viewer/2022050808/55a8dbb81a28abb93e8b47f0/html5/thumbnails/25.jpg)
Transport
Transport security depends on the mechanism that the binding you've
selected uses. For example, if you are using WSHttpBinding then the
security mechanism is Secure Sockets Layer (SSL)
Pro: Generally speaking, good throughput no matter which transport
you are using.
Con: Security is implemented in a hop-by-hop manner rather than end-
to-end.
If you decide to use transport security for HTTP (in other words,
HTTPS), you must also configure the host with an SSL certificate and
enable SSL on a port.
24
![Page 26: Lunch Learn - WCF Security](https://reader034.vdocument.in/reader034/viewer/2022050808/55a8dbb81a28abb93e8b47f0/html5/thumbnails/26.jpg)
Message
Each message is encrypted
Pros:
End to End Security
Because the composition of the headers varies, you can include any
number of credentials for interoperability
Con:
Little bit of overhead, encrypting each message.
25
![Page 27: Lunch Learn - WCF Security](https://reader034.vdocument.in/reader034/viewer/2022050808/55a8dbb81a28abb93e8b47f0/html5/thumbnails/27.jpg)
Setting the Client Credential Type
The choice of client credential type depends on the security
mode in place. For transport security you can require a
Windows credential or certificate
Message security supports any of the following settings
for clientCredentialType:
None
Windows
UserName
Certificate
IssuedToken
26
![Page 28: Lunch Learn - WCF Security](https://reader034.vdocument.in/reader034/viewer/2022050808/55a8dbb81a28abb93e8b47f0/html5/thumbnails/28.jpg)
Setting the Client Credential Type
This code snippet illustrates how to select
a clientCredentialType for message security.
<wsHttpBinding>
<binding name="wsHttp">
<security mode="Message">
<message clientCredentialType=“Windows"
algorithmSuite="TripleDes" />
</security>
</binding>
</wsHttpBinding>
27
![Page 29: Lunch Learn - WCF Security](https://reader034.vdocument.in/reader034/viewer/2022050808/55a8dbb81a28abb93e8b47f0/html5/thumbnails/29.jpg)
Role-Based Authorization
The identity of the caller is attached to the executing request thread in the form of a
security principal, accessible through the CurrentPrincipal property.
System.Threading.Thread.CurrentPrincipal
Implements System.Security.Principal.Iprincipal
This interface has two members:
A read-only Identity property that returns a reference to the IIdentity for the request.
When IsInRole() is invoked, it uses the configured RoleProvider to check if this
identity is in the specified role.
28
![Page 30: Lunch Learn - WCF Security](https://reader034.vdocument.in/reader034/viewer/2022050808/55a8dbb81a28abb93e8b47f0/html5/thumbnails/30.jpg)
Role-Based Authorization
Using the PrincipalPermission Object
Is the user authenticated?
Is the user in a particular role?
Is a particular user calling?
[PrincipalPermission (SecurityAction.Demand, Role = "Administrators")]
public string AdminsOnly() {
// protected code
}
public string AdminsOnly() {
// unprotected code
PrincipalPermission p = new PrincipalPermission(null, "Administrators");
p.Demand();
// protected code
}29
![Page 31: Lunch Learn - WCF Security](https://reader034.vdocument.in/reader034/viewer/2022050808/55a8dbb81a28abb93e8b47f0/html5/thumbnails/31.jpg)
Claims-Based Identity Model
The identity model in WCF supports a rich, claims-based approach to
authorization. Can add a welcome layer of granularity.
Claims can be proof of possession of information such as an e-mail
address, birth date, or first and last name.
Custom claims can be created to indicate the ability to access specific
business entities or their storage location.
30
![Page 32: Lunch Learn - WCF Security](https://reader034.vdocument.in/reader034/viewer/2022050808/55a8dbb81a28abb93e8b47f0/html5/thumbnails/32.jpg)
Claims-Based Identity Model
ServiceSecurityContext security = OperationContext.Current.ServiceSecurityContext;
string user = security.PrimaryIdentity.Name;
string email = null;
IEnumerable<Claim> claims = security.AuthorizationContext.ClaimSets[0].FindClaims(
ClaimTypes.Email,Rights.PossessProperty);
foreach (Claim c in claims) {
email = c.Resource as string;
}
if (string.IsNullOrEmpty(user) || email == null) throw new SecurityException(
"Unauthorized access. Email claim not found.");
31
![Page 33: Lunch Learn - WCF Security](https://reader034.vdocument.in/reader034/viewer/2022050808/55a8dbb81a28abb93e8b47f0/html5/thumbnails/33.jpg)
Sample Config
http://www.devx.com/codemag/Article/33342/1763?supportItem=6
32
![Page 34: Lunch Learn - WCF Security](https://reader034.vdocument.in/reader034/viewer/2022050808/55a8dbb81a28abb93e8b47f0/html5/thumbnails/34.jpg)
Impersonation
When Windows credentials are used, the service can be configured to
impersonate callers so that the request thread operates under the
impersonated Windows token.
[OperationBehavior(Impersonation = ImpersonationOption.Allowed)]
public string DoSomething() { ... }
ImpersonationOption.NotAllowed. The caller will not be impersonated.
ImpersonationOption.Allowed. The caller will be impersonated if a Windows
credential is provided.
ImpersonationOption.Required. The caller will be impersonated and a Windows
credential must be provided to support this.
33
![Page 35: Lunch Learn - WCF Security](https://reader034.vdocument.in/reader034/viewer/2022050808/55a8dbb81a28abb93e8b47f0/html5/thumbnails/35.jpg)
Impersonation
You can also set this for all operations by declaratively
<behaviors>
<serviceBehaviors>
<behavior name="serviceBehavior">
<serviceAuthorization
impersonateCallerForAllOperations=“true"/>
</behavior>
</serviceBehaviors>
</behaviors>
34
![Page 36: Lunch Learn - WCF Security](https://reader034.vdocument.in/reader034/viewer/2022050808/55a8dbb81a28abb93e8b47f0/html5/thumbnails/36.jpg)
Summary
Which binding to use:
WSHttpBinding – Default security for message encryption
BasicHttpBinding
NetMsmqBinding
![Page 37: Lunch Learn - WCF Security](https://reader034.vdocument.in/reader034/viewer/2022050808/55a8dbb81a28abb93e8b47f0/html5/thumbnails/37.jpg)
Questions?
Slide 36
Slides re-used from
http://blogesh.wordpress.com/2009/02/11/wcf-
presentation-slides/
![Page 38: Lunch Learn - WCF Security](https://reader034.vdocument.in/reader034/viewer/2022050808/55a8dbb81a28abb93e8b47f0/html5/thumbnails/38.jpg)
RSM McGladrey, Inc.
80 City Square
Boston, MA 02129
www.mcgladrey.com