Visual Studio® 2008:

Windows®
Communication
Foundation
Module 8: Implementing WCF Security
• Overview of Security in WCF

• Applying Overall Security Requirements to a Binding

• Specifying Required Client and Service Credentials

• Working with Security Information

Lesson: Overview of Security in WCF
• Security Objectives in WCF

• Authentication Mechanisms

• Authorization Mechanisms

• Claims-Based Security in WCF

• Integrity and Confidentiality

• Delivering Message-Level Integrity

• Delivering Message-Level Confidentiality

• Delivering Transport-Level Confidentiality

• Applying Security in WCF

• Federated Security
Security Objectives in WCF

Authentication Make sure you know who you are talking to

Authorization Control access to resources and information

Integrity Detect tampering or corruption of messages

Confidentiality Keep message contents secret

Use these measures to define a security policy

Authentication Mechanisms
User Name Windows Issued Certificate
and Password Token Token

User’s
memory

DC STS CA

Fred
My_Pa$$wd

Authentication
works both ways
Authorization Mechanisms

• Support provided for existing mechanisms

Windows ASP.NET Custom

roles roles authorization

• Accessible in services through standard .NET Framework

security classes and interfaces
• Claims-based mechanism introduced in WCF
Claims-Based Security in WCF

Claims-based model
Provides more fine-grained control than role-based model

Separates out individual elements of request for authentication,

including the basis on which they are made

Allows or denies access in the presence of particular claims

Supported through WCF classes

Can be used as a common mechanism for authorization

Integrity and Confidentiality

• Focus on protecting the data in the message

• Can specify requirements at transport level and

message level security
• Important difference between transport level and
message level security

Transport-level protects data point-to-point

Message-level protects data end-to-end

Delivering Message-Level Integrity
Encrypted Sender’s
Sender’s Checksum Certificate
Private
Key

Message Message 1. Extract sender’s

Content public key from
certificate

2. Decrypt checksum
in message

3. Recalculate
checksum

4. Compare
checksums = ?
Delivering Message-Level Confidentiality

Receiver’s Receiver’s
Certificate Public Key
Encrypted
Message
Content Message
+

Message Decrypt message

Content
with receiver’s
private key

Confidentiality ensures integrity

Delivering Transport-Level Confidentiality

Exchange symmetric keys

by using public/private keys
from certificate(s)

Symmetrical
Session Keys

Message Encrypted
Message
Content Channel
Applying Security in WCF

Security policy for a given service is defined by the

endpoint binding

Transport security mechanism

Credentials required

Options available for negotiation

Behaviors specify authentication and authorization

policies

Access to these mechanisms is available programmatically or

through configuration
Federated Security
Blue Realm Red Realm

Trust relationship Red STS

Blue STS

Fred
MyPa$$wd
Lesson: Applying Overall Security Requirements
to a Binding
• Security Modes for Bindings

• Applying Default Security Settings

• Transport-Level Security Mode

• Applying Security Mode Through Configuration

• Message-Level Security Mode

• Selecting Security Modes for Bindings

• Requiring a Protection Level

• Web Service Security

• Protecting Connections to Older Web Services

• Internet Security for Older Web Services

Security Modes for Bindings

Six possible values for security mode

None
Transport
Message
Both
TransportWithMessageCredential
TransportCredentialOnly

Set by using mode attribute of the security element in the

configuration file

Represented in code by Binding.Security.Mode and

SecurityMode enumeration
Applying Default Security Settings

All bindings have their own defaults

<system.serviceModel>
<services>
<service name="BankService" >
<endpoint address=“http://localhost:8080/BankService"
contract="IBankService"
binding="basicHttpBinding"/>
</service>
</services>
</system.serviceModel>

Security mode = "None"

Transport-Level Security Mode

Select transport-level protection for a binding in code or

by using the configuration file

WCF uses transport protocol–specific capabilities

to protect message contents

Point-to-point protection

Use protection level for some protocols to adjust level of security

BasicHttpBinding binding =
new BasicHttpBinding(SecurityMode.Transport);

OR

binding.Security.Mode = BasicHttpSecurityMode.Transport;
Applying Security Mode Through Configuration

Alter security settings by modifying the security property

of the binding configuration

<system.serviceModel>
<services>
<service name="BankService" >
<endpoint address="http://localhost:8080/BankService"
contract="IBankService"
binding="basicHttpBinding"
bindingConfiguration="myBasicHttpBindingConfig"/>
</service>
</services>
</system.serviceModel>

<bindings>
<basicHttpBinding>
<binding name="myBasicHttpBindingConfig">
<security mode="Transport"/>
</binding>
</basicHttpBinding>
</bindings>
Message-Level Security Mode

Select message-level protection for a binding in code or

by using the configuration file

WCF uses WS-Security protocols to encrypt and sign message

End-to-end protection

Define which algorithm is used to encrypt message contents

and create checksums

<basicHttpBinding>
<binding name=“bankInteropBinding">
<security mode="Message">
<message clientCredentialType="Certificate"
algorithmSuite="Basic256Rsa15" />
</security>
</binding>
</basicHttpBinding>
Selecting Security Modes for Bindings

Not all bindings and security mode combinations work

or make sense

For example:

WSDualHttpBinding provides only message-level security

NetNamedPipeBinding only provides transport-level security

Requiring a Protection Level

Define the level of protection required for an operation

None
Sign
EncryptAndSign

Enforce through contract attributes

[ServiceContract(Namespace="http://myuri.org/Simple",
ProtectionLevel=ProtectionLevel.None)]
public interface IBank
{
…
}
Web Service Security

• WS-SecurityPolicy describes security policy in a way

suitable for a client to determine what it must do to
communicate with the service
• Security information is exposed by using metadata

• Tools that consume metadata reflect the security

requirements in the binding and configuration
• Level of sophistication of service determines
whether you have access to this policy information
in the metadata
Protecting Connections to Older Web Services
Options are governed by what the older service or
client requires

You may find some simple intranet services or clients

with no security

In this case you can use:

basicHttpBinding

No specific binding configuration

Internet Security for Older Web Services
Transport security provided by HTTPS by using basicHttpBinding

Basic form with anonymous client

<basicHttpBinding>
<binding name=“AnonymousHttpBinding">
<security mode="Transport">
<transport clientCredentialType="None"/>
</security>
</binding>
</basicHttpBinding>

Transport with credentials:

Username <transport clientCredentialType="Basic"/>

Certificate <transport clientCredentialType=“Certificate"/>

Lesson: Specifying Required Client and
Service Credentials
• Transport-Level Client Credential Types

• Message-Level Client Credential Types

• Requiring Credentials

• Supplying Credentials

• Supplying Credentials Programmatically

• Supplying Credentials by Using Behaviors

• Windows CardSpace and WCF Credentials

• Demonstration: Setting Security Modes and Credentials

Transport-Level Client Credential Types

Six possible transport-level client credential types

None
Basic
Digest
NTLM
Windows
Certificate

Represented by:
clientCredentialType attribute of transport element
in configuration file

XXXTransportSecurity.ClientCredentialType property
on binding and XXXClientCredentialType enumeration
in code
Message-Level Client Credential Types

Five possible message-level client credential types

None
UserName
Windows
IssuedToken
Certificate

Represented by:
clientCredentialType attribute of message element
in configuration file

XXXMessageSecurity.ClientCredentialType property
on binding and XXXCredentialType enumeration
in code
Requiring Credentials
Specified through configuration or programmatically

<bindings>
<basicHttpBinding>
<binding name="myBasicHttpBindingConfig">
<security mode="Transport">
<transport clientCredentialType="Windows"/>
</security>
</binding>
</basicHttpBinding>
</bindings>

BasicHttpBinding binding =
new BasicHttpBinding(SecurityMode.Transport);

binding.Security.Mode = BasicHttpSecurityMode.None;

binding.Security.Transport.ClientCredentialType =
HttpClientCredentialType.Windows;
Supplying Credentials

• Both client and service might supply credentials

• Credentials can be passed programmatically or through

behaviors
• Using the programmatic approach gives dynamic control

• Using a behavior means that the developer does not

have to write credential-handling code and credentials
can be supplied in the configuration file
Supplying Credentials Programmatically
Proxy and channel factory expose a ClientCredentials type

ClientCredentials has properties representing the

different types of credential, e.g. UserName

Find these types in the System.ServiceModel.Description

namespace

// Proxy
proxy.ClientCredentials.UserName.UserName = "Fred";
proxy.ClientCredentials.UserName.Password = "My_Pa$$wd";

// Channel factory
ChannelFactory<IBankService> factory =
new ChannelFactory<IBankService>();
factory.Credentials.UserName.UserName = "Fred";
factory.Credentials.UserName.Password = "My_Pa$$wd";

Not usually done this way on the service-side

Supplying Credentials By Using Behaviors
<system.serviceModel>
<services>
<service name="BankService" >
<endpoint address="http://localhost:8080/BankService"
contract="IBankService"
binding="basicHttpBinding"
bindingConfiguration="myBasicHttpBindingConfig"
behaviorConfiguration="bankServiceCredentialBehavior"/>
</service>
</services>
<endpointBehaviors>
</system.serviceModel>
<behavior name=“bankServiceCredentialBehavior ">
<clientCredentials>
<serviceCertificate>
<defaultCertificate
findValue="SubjectKey"
storeLocation="LocalMachine"
storeName="TrustedPublisher"
x509FindType="FindBySubjectName"/>
</clientCredentials>
</behavior>
</endpointBehaviors>
Windows CardSpace and WCF Credentials

• Windows CardSpace introduced in .NET Framework

3.0 to manage digital identities
• A CardSpace information card defines a set of claims

• Cards can be personal or managed

• Use WSFederationHttpBinding with the issuer set to

schemas.xmlsoap.org/ws/2005/05/identity/issuer/self
• Further discussion beyond the scope of this course
Demonstration: Setting Security Modes and Credentials
In this demonstration, you will see how to:
• Apply security requirements to a WCF service

• Provide credentials for authentication

Notes Page Over-flow Slide. Do Not Print Slide.
See Notes pane.
Lesson: Working with Security Information
• Accessing Security Information in a Service

• Accessing Identity Information

• Enforcing Authorization Requirements

• Accessing Claims Programmatically

• Impersonation

• Demonstration: Accessing Security Information

Accessing Security Information in a Service

Use the ServiceSecurityContext:

Obtain this object through ServiceSecurityContext.Current

or OperationContext.Current.ServiceSecurityContext

Represents client credentials on the server and server

credentials on the client

Properties contain current security information:

PrimaryIdentity

WindowsIdentity

AuthorizationContext – includes access to ClaimSets

Accessing Identity Information

PrimaryIdentity property:

• Most information based on credentials supplied by client:

 Equivalent to thread’s current security principal
 Represented by System.Security.Principal.IIdentity
providing access to Name, IsAuthenticated and
AuthenticationType

WindowsIdentity property:

• Windows identity matching the PrimaryIdentity or anonymous

• Represented by System.Security.Principal.WindowsIdentity
Enforcing Authorization Requirements

Use role-based authorization

Mechanism common across the .NET Framework.

Predates claims-based authorization

Determine if identity is in a given role

Defaults to Windows roles

Specify another role provider that uses the serviceAuthorization

service behavior, for example, ASP.NET roles

OR

Custom authorization based on claims

Accessing Claims Programmatically

Example of custom
authorization code
AuthorizationContext authContext =
operationContext.ServiceSecurityContext.AuthorizationContext;

foreach(ClaimSet cs in authContext.ClaimSets)
{
if (cs.Issuer == ClaimSet.System)
{
foreach (Claim c in
cs.FindClaims("http://example.org/claims/allowedoperation",
Rights.PossessProperty))
{
if (actionUri == c.Resource.ToString())
return true;
}
}

return false;
}
Impersonation

Three levels of impersonation by using OperationBehavior

NotAllowed Never impersonate

Allowed Impersonate if enabled and credentials supplied

Required Always impersonate so must have credentials

[OperationBehavior(ImpersonationOption.Allowed)]
public void Deposit(string account, decimal amount)
{
...
}

Client can control impersonation by using

AllowedImpersonationLevel
Demonstration: Accessing Security Information
In this demonstration, you will see how to:
• Access the security information available to a WCF service

• Perform some types of authentication based on that

information
Lab: Protecting a Service
• Exercise 1: Applying Security for Internal Network
Communication
• Exercise 2: Applying Security for Internet Communication

Logon information

Virtual machine 6461A-LON-DEV-08

User name Student

Password Pa$$w0rd

Estimated time: 80 minutes

Lab Review
• Was the type of credential used for intranet security
appropriate?
• Why did the SSL connection initially fail and why is the
solution you applied in the lab not appropriate to the real
world?
• Is BasicHttpBinding the best choice Internet security?
Module Review and Takeaways
• Review Questions

• Common Issues and Troubleshooting Tips

• Real-World Issues and Scenarios

• Best Practices

• Tools