tags:

views:

294

answers:

1
Q: 

WCF security issue in Silverlight

Hello everyone,

I am using VSTS 2008 + C# + .Net 3.5 + Silverlight 3.0. I host a WCF service in IIS 7.0. My question is, besides using https + basicHttpBinding, are there any other security solutions? I want to find a security solution which does not need certificate on server side. I am not sure whether message security works without certificate and works also for Silverlight.

thanks in advance, George

+2  A: 

If you're not going to be using a certificate of some sort on the server side (I'm assuming you weren't referring only to SSL, but also to putting a certificate on the box to support WS-Security standards), the best you're going to be able to do is Username/Password.

Here's a link on Implementing Username Password & WS-Security with Silverlight.

Justin Niessner  2009-09-10 15:39:08
Looks like in order to implement message level security, we need to manually craft the SOAP header and body?
George2  2009-09-10 16:18:02
Another question is whether using the solution mentioned in your recommended document needs to setup certificate at server side? Thanks!
George2  2009-09-10 16:31:15
Because Silverlight doesn't have the objects available in the Web Service Extensions pack (which Microsoft used to implement the WS-Security standards), you do you have to craft the SOAP header manually. This method also does not require any certificates be installed at all.
Justin Niessner  2009-09-10 17:52:27
Thanks! I want to confirm that using the method in the document, only password is encrypted? Other parts of SOAP message is still un-encrypted?
George2  2009-09-11 09:39:33
If memory serves, this won't get you any encryption in the message. It will only provide an authentication mechanism. If you want any kind of WS-Security standard encyrption, you're going to need an X.509 Certificate. You'll need to install it on the server and provide each client acess to the public key.
Justin Niessner  2009-09-11 12:25:44
Thanks! I want to confirm with you that even if it is called message level seucrity, the message itself is not encrypted (e.g. the password field), and it relys on underlying security communication protocols, like https to provide encryption?
George2  2009-09-11 15:42:48
If you want transport level security (all traffic over the wire is encrypted) you have to use SSL. If you're looking for message based encryption (doesn't rely on any protocols), you need an X.509 certificate which will get used for the encryption and signing of the message. The later can be done over plain http.
Justin Niessner  2009-09-11 17:30:11

related questions

Displaying Flash content in a C# WinForms application
How to get the value of built, encoded ViewState?
Unhandled Exception Handler in .NET 1.1
How do I connect to a database and loop over a recordset in C#?
How do I most elegantly express left join with aggregate SQL as LINQ query
Get a new object instance from a Type in C#
.NET Testing Framework Advice
Automatically update version number
What is the difference between an int and an Integer in Java/C#?
How to write to Web.Config in Medium Trust ?
WinForms ComboBox data binding gotcha
How do you sort a C# dictionary by value?
Adding Scripting functionality to .NET applications
Floating Point Number parsing: Is there a Catch All algorithm?
How do I print an HTML document from a web service?
Decoding T-SQL CAST in C#/VB.net
Anatomy of a "Memory Leak"
How do I get a distinct, ordered list of names from a DataTable using Linq
Reliable Timer in a Console Application
How do I fill a DataSet or a DataTable from a LINQ query resultset ?
What's the difference between Math.Floor() and Math.Truncate() in .NET?
How do I calculate relative time?
How do I calculate someone's age in C#?
Are there any conversion tools for porting Visual J# code to C#?
When setting a form's opacity should I use a decimal or double?