Escolar Documentos
Profissional Documentos
Cultura Documentos
Windows®
Communication
Foundation
Module 8: Implementing WCF Security
• Overview of Security in WCF
• Authentication Mechanisms
• Authorization Mechanisms
• Federated Security
Security Objectives in WCF
User’s
memory
DC STS CA
Fred
My_Pa$$wd
Authentication
works both ways
Authorization Mechanisms
Claims-based model
Provides more fine-grained control than role-based model
2. Decrypt checksum
in message
3. Recalculate
checksum
4. Compare
checksums = ?
Delivering Message-Level Confidentiality
Receiver’s Receiver’s
Certificate Public Key
Encrypted
Message
Content Message
+
Symmetrical
Session Keys
Message Encrypted
Message
Content Channel
Applying Security in WCF
Credentials required
Fred
MyPa$$wd
Lesson: Applying Overall Security Requirements
to a Binding
• Security Modes for Bindings
None
Transport
Message
Both
TransportWithMessageCredential
TransportCredentialOnly
<system.serviceModel>
<services>
<service name="BankService" >
<endpoint address=“http://localhost:8080/BankService"
contract="IBankService"
binding="basicHttpBinding"/>
</service>
</services>
</system.serviceModel>
Point-to-point protection
BasicHttpBinding binding =
new BasicHttpBinding(SecurityMode.Transport);
OR
binding.Security.Mode = BasicHttpSecurityMode.Transport;
Applying Security Mode Through Configuration
<system.serviceModel>
<services>
<service name="BankService" >
<endpoint address="http://localhost:8080/BankService"
contract="IBankService"
binding="basicHttpBinding"
bindingConfiguration="myBasicHttpBindingConfig"/>
</service>
</services>
</system.serviceModel>
<bindings>
<basicHttpBinding>
<binding name="myBasicHttpBindingConfig">
<security mode="Transport"/>
</binding>
</basicHttpBinding>
</bindings>
Message-Level Security Mode
End-to-end protection
<basicHttpBinding>
<binding name=“bankInteropBinding">
<security mode="Message">
<message clientCredentialType="Certificate"
algorithmSuite="Basic256Rsa15" />
</security>
</binding>
</basicHttpBinding>
Selecting Security Modes for Bindings
For example:
None
Sign
EncryptAndSign
[ServiceContract(Namespace="http://myuri.org/Simple",
ProtectionLevel=ProtectionLevel.None)]
public interface IBank
{
…
}
Web Service Security
<basicHttpBinding>
<binding name=“AnonymousHttpBinding">
<security mode="Transport">
<transport clientCredentialType="None"/>
</security>
</binding>
</basicHttpBinding>
• Requiring Credentials
• Supplying Credentials
Represented by:
clientCredentialType attribute of transport element
in configuration file
XXXTransportSecurity.ClientCredentialType property
on binding and XXXClientCredentialType enumeration
in code
Message-Level Client Credential Types
None
UserName
Windows
IssuedToken
Certificate
Represented by:
clientCredentialType attribute of message element
in configuration file
XXXMessageSecurity.ClientCredentialType property
on binding and XXXCredentialType enumeration
in code
Requiring Credentials
Specified through configuration or programmatically
<bindings>
<basicHttpBinding>
<binding name="myBasicHttpBindingConfig">
<security mode="Transport">
<transport clientCredentialType="Windows"/>
</security>
</binding>
</basicHttpBinding>
</bindings>
BasicHttpBinding binding =
new BasicHttpBinding(SecurityMode.Transport);
binding.Security.Mode = BasicHttpSecurityMode.None;
binding.Security.Transport.ClientCredentialType =
HttpClientCredentialType.Windows;
Supplying Credentials
// Proxy
proxy.ClientCredentials.UserName.UserName = "Fred";
proxy.ClientCredentials.UserName.Password = "My_Pa$$wd";
// Channel factory
ChannelFactory<IBankService> factory =
new ChannelFactory<IBankService>();
factory.Credentials.UserName.UserName = "Fred";
factory.Credentials.UserName.Password = "My_Pa$$wd";
• Impersonation
WindowsIdentity
PrimaryIdentity property:
WindowsIdentity property:
OR
Example of custom
authorization code
AuthorizationContext authContext =
operationContext.ServiceSecurityContext.AuthorizationContext;
foreach(ClaimSet cs in authContext.ClaimSets)
{
if (cs.Issuer == ClaimSet.System)
{
foreach (Claim c in
cs.FindClaims("http://example.org/claims/allowedoperation",
Rights.PossessProperty))
{
if (actionUri == c.Resource.ToString())
return true;
}
}
return false;
}
Impersonation
[OperationBehavior(ImpersonationOption.Allowed)]
public void Deposit(string account, decimal amount)
{
...
}
Logon information
Password Pa$$w0rd
• Best Practices
• Tools