WCF Intranet Security Configuration

views:

answers:

WCF Intranet Security Configuration

We have some applications (web and WPF) that call WCF services to access data. We are not using Windows Authentication. The user is prompted for a username and password when logging into the web app or WPF desktop app. The data is not highly confidential (i.e. no credit cards, SSN, etc.).

We would like to use BasicHttpBinding for the WCF endpoints. However, we want to pass a username and password to our WCF services so that we can restrict access to certain data depending on the user.

My question is, since we are 100% in an intranet environment would it be reasonable to simply pass the user's username and password in the header of the SOAP messages so that we can authentic the users on the WCF side? This seems like a very common situation and I'm curious how others have addressed security on the WCF side when all applications and services reside in an intranet environment.

Thanks.

+1 A:

Yes, this would be reasonable--HOWEVER: you should encrypt the password, even though you are on an intranet. Anyone using a network sniffer, such as WireShark, can see the text of the communication, and if you have not encrypted the password, then even if they are employees, they will be able to get the passwords--completely defeating any internal security--that is, unless you trust your employees so much that usernames and passwords really don't mean anything, anyhow.

Russ 2010-08-17 20:31:08

I always struggle with this scenario. For example, the WPF desktop applications will be prompting the user for a password. That means before we pass the password from the WPF app to a WCF service we should encrypt it. But, where do I store the encryption key on the user's desktop PC? I wouldn't want to store it in the app.config file.

ChrisNel52 2010-08-17 20:45:10

+2 A:

It seems like pretty easy task but in reality it is quite hard because WCF team has already made decission that sending plain text user name token over unsecured channel is not allowed. You can always send user name and password in custom SOAP header but in that case you will lose WCF security infrastructure and you will have to inject your own password validation behavior etc.

If you really need plain text user name token you should check this binding.

Edit: Btw. remember that the most security attacks came from insiders so using HTTPS is not bad decission and it will make things much easier.

Ladislav Mrnka 2010-08-17 20:39:07

I guess that's the trade off… do I simplify development and increase performance by keeping the security simple, or do I increase development complexity and slightly decrease performance by using HTTPS and wsHttpsBinding because of the fear there may someday be a rogue employee?

ChrisNel52 2010-08-17 20:50:59

In this case you will not simplify development. Using HTTPS is straightforward. Avoiding HTTPS means workaround.

Ladislav Mrnka 2010-08-17 21:23:33

Password should never be sent in plain text. Some people use the same password for different things. Stealing someone's password could lead to a serious case of identity theft, even though your application my never be compromised (and the victim won't even know the source of the leak).

There's a reason passwords are hashed - even the computer shouldn't know your password!

Allon Guralnek 2010-08-17 21:16:25

+1 A:

If your using wcf 3.5 sp1 you can allow user name and passwords across a none secure binding just set the security transport's AllowInsecureTransport to true.

Aaron Fischer 2010-08-18 15:03:30

ansaurus

tags:

views:

answers:

WCF Intranet Security Configuration

related questions