WCF Architecture

Hi,

I am busy designing a WCF app. The app's purpose will be to give insurance members access to their insurance information via the web.

The problem lies with our network architecture and I am not exactly sure what type or combinaion of security I must use.

In our internal network we have a UNIX environment which I access using EntireX .net wrapper and we have an Oracle 10g data store which I access via Enterprise library.

I created a BLL containing the business objects and a DAL that populate these objects via Enterprise Library/EntireX.

I created a WCF services layer with 2 WCF services, one to access the oracle store and one to access unix and they reference the BLL.

I am going to host this service in IIS on a production server with SQL 2005 inside the firewall. We purchased a web server for which we are creating DMZ and this web server will communicate with the production server only via port 443 and/or port 80. Our company internet will have access to the web server in the DMZ.

The presentation layer will be an ASP.Net front end that calls the service in code using a Channelfactory. I use X509 client certificates that the client must present to the service. The service is secured by SSL. The front end will be on the web server in the DMZ.

I am using wsHttpBinding with Transport security and clientCredentialType="Certificate", which works fine but I want to pass login information to the service. I thought of adding it to the message header.

Now, I anm at a stage that I am doubting the viability of my design. Can someone give me some tips on what binding and security I must use in this scenario, how to pass login info and what I must have in my presenrtation layer to be the most secure. We have control over what ports will be opened through the firewall to the internal production server. We will only have 1 ASP.Net client hosted on the web server in the DMZ but will only have HTTPS or HTTP access to the production server.

Thanks a lot Ryan

Thanks

I think your approach sounds OK. If your WCF services will only be used by your front end asp.net app, I would probably think about hosting the service layer in a windows service and use TCP Binding(then you won't have to deal with IIS and possibly no certificates). But that could require you to change your infrastructure requirements slightly(you could still use port 80/443 but you will be faced with other annoying issues related to using ports that IIS normally uses). You can start with IIS/HTTP binding and switch later anyway with minimal impact to the overall application(that is the beauty of WCF).

Regarding the services themselves, I would also consider publishing 1 simple facade on top of your two repositories. That way your client doesn't couple itself to the concepts of your oracle db and unix system. This debatable though, you only mentioned the technologies used, if the two systems represent distinct business domains then keeping them separate makes sense. If you are only splitting them because they are two different systems then I would try to abstract those systems from the UI.

For passing credentials around, I would recommend using an authorization policy in combination with claims. For more help on this topic check out leastprivilege.com if you haven't found it already. Here is an article to get you started

ansaurus

tags:

views:

answers:

related questions