tags:

views:

24

answers:

2
+1  Q: 

WCF security in an internet scenario

I have a WCF service hosted in a Windows Service. Clients from various platforms will access the service. Now I would like to add a basic security mechanism. Ideally, the clients should use username/password for authentication.

Which binding settings do I have to use in this scenario and how can I authenticate the client? Interoperability is more important than a very secure solutions. If possible the client should not be forced to use a certificate or something the like. Additionally, authentication should not be strongly coupled with a SQL Server database. I would like to manually inspect the client credentials.

Thanks for your help

A: 

The best for your case can be BasicHttpBinding with security set to TransportWithMessageCredentials and credential type set to UserName. In this case your service will be secured with HTTPS (requires server certificate for SSL which has to be trusted on clients) and authentication will be provided on message level with UserName Token Profile (SOAP header). You can implement your own password validator.

BasicHttpBinding configuration skeleton:

<bindings>
  <basicHttpBinding>
    <binding name="Secured">
      <security mode="TransportWithMessageCredential">
        <message clientCredentialType="UserName" />
      </security>
    </binding>
  </basicHttpBinding>
</bindings>

If you don't want to use HTTPS you can create custom binding with HttpTransport, TextMessageEncoding and with security mode set to UserNameOverTransport. But you have to set allowInsecureTransport to true (be aware that there is some bug with WSDL generation in this setting).

Custom binding configuration skeleton:

<bindings>
  <customBinding>
    <binding name="Secured">
      <security authenticationMode="UserNameOverTransport" allowInsecureTransport="true" />
      <textMessageEncoding messageVersion="Soap11" />
      <httpTransport />
    </binding>
  </cutomBinding>
</bindings>
Ladislav Mrnka  2010-10-05 07:38:08
Thanks for your reply. What consequeces for the clients emerge when HTTPS with SSL is used? Can the client handle the security settings at message level? Or does the client have to "instal" the certifacate? Can I somehow send the certifacte as a hash value and the client can add this value in the soap header?
WalterOesch  2010-10-05 09:21:02
Https defines security at transport level. Client does not need to do anything except providing a user name an password. Installing certificate depends on certificate issuer. If you use certificate issuer trusted by client, client doesn't have to do anything. Otherwise client has to install certificate or certificate of issuer. I'm not sure if it is possible to provide certificate hash in WSDL for BasicHttpBinding. You can try it by specifying endpoint identity on the server. It should be possible for WSHttpBinding.
Ladislav Mrnka  2010-10-05 17:07:19
A: 

See the Internet section of the Application Scenarios for guides on how to achieve this:CodePlex Application Scenarios

Tanner  2010-10-05 09:05:27

related questions

Encryption in C# Web-Services
How Do You Secure database.yml?
ASP.NET LocationProvider
What do you (or your company) use for wiping a machine?
Can a proxy server cache SSL GETs? If not, would response body encryption suffice?
Java: What is the best way to SFTP a file from a server
How do I call a Flex SWF from a remote domain using Flash (AS3) ?
Best way to store a database password in a startup script / config file?
Using VM to get around VPN restrictions
Best references for secure coding practices in ASP.NET and classic ASP.
Secure Memory Allocator in C++
Resolving Session Fixation in JBoss
Best Practices for securing a REST API / web service
Defensive programming
Personal Linux web server
Block user access to internals of a site using HTTP_REFERER
Is there an Unobtrusive Captcha for web forms?
My website got hacked... What should I do?
What all do I need to escape when sending a (My)SQL query?
How do you disable browser Autocomplete on web form field / input tag?
Best .NET obfuscation tools/strategy
Are there best practices for testing security in an Agile development shop?
What is the best way to avoid SQL injection attacks?
Found a critical bug, but the company doesn't care
PHP Session Security