tags:

views:

37

answers:

2
Q: 

WCF Security Learning Resources

What are the best soup-to-nuts learning resources to get up to speed on WCF security?

Most WCF tutorials don't bother with security and use basicHttpBinding however, what I'm doing needs to be industrial strength. I need to learn how to

  • minimize the size of messages on the wire
  • encrypt messages on the wire so they can't be sniffed and read.
  • be able to authenticate users with and without Windows authentication.
  • Authorise callers using custom roles and permissions.
  • pass extra metadata in the request message such as users machine name and a logging context guid.
  • log plaintext request/response messages for tracing and maybe auditing.
  • profile service operations for performance.

The services I work on are self-hosted, and I will use IIS if there is a specific benefit otherwise my services need to remain hosted in windows services in production and console apps in development.

I should say I'm using .NET 3.5 and VS2008 at the moment. Might move to 4.0 if there's a killer WCF feature that would be helpful.

Thanks in advance for helping me take the next giant step.

A: 

There is a 15 part series of Top to Bottom WCF video webcasts here, the two security related ones are part 10 and part 11.

There is also a 18 part WCF Soup to Nuts series, part 1 is here.

slugster  2010-06-19 00:12:31
Anyone know where I can download Part 8: Instancing Modes? I've limited broadband and it only seems to be available as a streaming video now. Thanks.
IanT8  2010-07-01 02:24:49
@Ian: the current url for that video is here: mms://wmbmodigital.microsoft.com/a10125/o9/events/wmvlarge/1032344344.wmv. It's curious that it is the only one that is streaming only. You may be able to find a download manager or media player that will let you download it directly, or you can play it in Windows Media Player and see if there is a cached file left behind.
slugster  2010-07-05 11:21:22
A: 

Check out the MSDN docs WCF Security Overview for a good overview of the entire topic.

Also, I would recommend Juval Lowy's article on Declarative WCF Security where he specs out five commonly encountered scenarios of services and how to properly secure them. He even goes as far as making that into attributes, e.g. you can just simply decorate your services with a security-related attribute and be done with it.

For a very comprehensive set of guidance and how-to (more of a reference that a learning resource, though), check out the WCF Security Guidance - it has tons of step-by-step how-to's, code samples, background info.

marc_s  2010-06-19 07:36:02

related questions

Dynamic programming with WCF
WCF Service Returning "Method Not Allowed"
Exceptions in Web Services
What SPN do I need to set for a net.tcp service?
How do I unit test a WCF service?
Best practices for versioning your services with WCF?
Lazy Loading with a WCF Service Domain Model?
How many ServiceContracts can a WCF Service have?
How can I authenticate using client credentials in WCF just once?
WCF - Domain Objects and IExtensibleDataObject
InvalidOperationException while creating wcf web service instance
Closing and Disposing a WCF Service
What WCF best practices do you follow in object model design?
WCF push to client through firewall?
Loading System.ServiceModel configuration section using ConfigurationManager
I would like some tips for debugging WCF Web Service exceptions
What's the best way to authenticate over WCF?
Good Reads for Distributed Systems
.Net - Returning DataTables in WCF
What is the easiest way to add compression to WCF in Silverlight?
WCF Backward Compatibility Issue
Best Practices for securing a REST API / web service
Web Services -- WCF vs. Standard
C# WCF Service - Backward compatibility issue
WCF - High availability