WCF 4 Step By Step Chapter 4 Note (Transport and Message Security + Authentication in Organization)

When building Web services, you can perform authenticationand encryption at two points when sending and receiving messages: at the transport leveland at the message level.

Transport-Level Security

Transport-level authentication is typically implemented atthe operating system level. A service can specify the type of credentials it requires,but it is the operating system’s

responsibility to ensure that the correct credentials areprovided and to validate them.

Many communications protocols can encrypt and decrypt dataas it is sent and received.

            -HTTPS

                        -SecureSockets Layer (SSL) to encrypt and decrypt data by using keys provided incertificates.

                        -Becauseall this happens at the transport level, it is transparent to the client application and service;

            -TCPprotocol

                        -TransportLayer Security (TLS),the TCP bindings in WCF make use ofTLS automatically.

            -Namedpipes also support transport-level security but not message-level security.

Message-Level Security

            -they encrypt and decrypt messages themselves using anagreed encryption algorithm and a negotiated set of encryption keys.Standardssuch as the WS-Security specificationfrom OASIS describe the message-level security schemes that many Web services

implementations have adopted.

 

Transport-Level Security vs. Message-Level Security

Transport-level security has the advantage overmessage-level security in that it can often rely on hardware support and can be very efficient—encrypting anddecrypting data can be a resource-intensive process, so anything that improves performance is very welcome. Additionally, transport-level authentication checks are enforced beforethe client application actually starts sending application-level messages, so performing authentication at this leveldetects authentication failures more quickly and with less networkoverhead.

The primary disadvantage of transport-level security is that it operates on apoint-to-point basis; by the time the service receives a message, it hasa lready been decrypted by the underlying transport mechanism. In a situation where a service shouldsimply forward a message on to another service rather than process it, theintermediate service has full access to the message contents, meaning that the service could modify the message or extract confidential information before forwarding it. Using message-levelencryption can help to mitigate this problem.Message-level security provides end-to-end encryption.

Implementing Security in a Windows Domain

1)Protecting a TCP Service at the Message Level

            **Configure Message Tracing for the WCF Service

                        -LogEntireMessage

                        -LogMessagesAtServiceLevel

                        -LogMessagesAtTransportLevel

                       

           Verification: In ServiceTrace Viewer

                        -element contains the data for the request

   Code Hint (Service Configuration)

2)Protecting an HTTP Service at the Transport Level

            **Configurethe WCF HTTP Endpoint with an SSL Certificate

                        -Addcertificate:makecert -sr LocalMachine -ss My -n CN=HTTPS-Server -sky exchange-sk HTTPS-Key

                        -Bindsthe certificate with the thumbprint to the port:netsh http add sslcertipport=0.0.0.0:8000 certhash=82e8568ba2689c24db66d392e06c6995f19afdc9appid={00112233-4455-6677-8899-AABBCCDDEEFF}

           

3)Protecting an HTTP Service at the Message Level

            -BasicHttpBinding. In this mode, the service uses SOAP messagelevel security to encrypt the message. Theservice must have a certificate installed, and the client uses the public keyfrom the service’s certificate to perform the encryption. The service can sendthe certificate containing its public key at the start of the message exchangeor an administrator can install the service certificate on the client computerbefore the client application.

            -If youreally want to implement message-level security for a WCF service with theminimum of fuss and configuration, you can opt to use theWS2007HttpBindingbinding.The WS2007Http Binding binding conforms to the current WS-*specificationsand follows the WS-Security

specification for encrypting messages and authenticatingusers by default.

4)Authenticating Windows Users

Authenticate a user when the client application and serviceare both running within the same Windows domain

            -Basicauthentication:Basic authentication is a good solution if the user running theclient application is not currently logged in to the security domain used by the service.However, if the user is logged in to the domain, you can make use of Windows IntegratedSecurity to provide the user’scredentials automatically, rather than prompting the userfor them again

Note:if you are implementing Basic authentication, user names and passwords are not encrypted at the message level, so WCF insists that you configure the underlying transportto provide encryption to prevent the credential details from being transmitted across an opennetwork as clear text.

 

Code:

ProductsServiceClient proxy = new

ProductsServiceClient("BasicHttpBinding_IProductsService");

proxy.ClientCredentials.UserName.UserName = "Domain\\UserName";

proxy.ClientCredentials.UserName.Password ="Password";

 

Configuration Service:

            - Windows Integrated Security

Configuration Service:

        

                     

5)Authorizing Users

6)Using Impersonation to Access Resources

By default, the service will attempt to gain access to theseresources by using its own credentials(service hosted account).When usingWindows authentication, it is possible to specify that the WCF service shouldaccess resources by using the authenticated identity of the user instead(client account).

 

Using impersonation gives an administrator fine-grainedcontrol over the ability of a WCF service to read or write possibly sensitive information and can provide an additionaldegree of security—just because the user can connect to the WCF service, theymight not be able to perform operations that retrieve or modify confidentialdata unless the administrator has explicitly granted the user access to thisdata.

 
[PrincipalPermission(SecurityAction.Demand,Role="WarehouseStaff")]
[OperationBehavior(Impersonation=ImpersonationOption.Required)]
public List ListProducts
{
...
}

Summary 

if you are deploying services that are accessible inside anorganization you can use the NetTcpBinding or NetNamedPipeBinding bindings and implement transport-level security. However, if a service is intended to be accessible both inside an organization andexternally, you may choose to provide a NetTcpBinding binding and a binding based onthe HTTP protocol (either theBasicHttpBinding or WS2007HttpBinding binding), andimplement either transport-level or message-level security, depending on the requirements ofyour service and the need to maintain compatibility with existing client applications and services.If you are building a WCF service that must be compatible with client applications andservices thatconform to the Basic Profile 1.1, you should use the BasicHttpBindingbindingand configure it to use Basic authentication over transport-level security ifauthentication is required. If you need to build a service that conforms to the requirements of theWS-Security specification, you should use the WS2007HttpBinding binding and configure message-levelsecurity.