By Paul Senatillaka

WCF Security

Agenda

Introduction to WCF

- What is it? Why use it?

- Fundamentals and the ABCs of WCF

WCF Security Overview

- Bindings

Introduction to WCF

Slide 2

What is WCF?

Stands for Windows Communication Foundation

One of the 4 pillars of .NET 3.0

Microsoft’s unified programming model (the service model) for building Service-Oriented Applications

Windows Communication Foundation

WCF provides:

- an SDK for creating SOA

- a runtime for running Services on Windows

Services send and receive messages

All messages are SOAP messages

WCF takes care of all the plumbing

Slide 4

Why use WCF?

Interoperable and Standards based

- Supports WS-* protocols

Unified Programming Model

- Unifies previous models like .NET Remoting, ASMX web services, COM+

etc

Productive Programming Model

- Declarative

- Imperative

- Configuration based

Slide 5

WCF: How does it work?

SOAP (Simple Object Access Protocol) - is a protocol specification for

exchanging structured information in the implementation of Web Services

XML

WCF End points

WCF Endpoints

Every service has

Address

- Where the service is

Binding

- How to talk to the service

Contract

- What the service can do

Slide 8

The EndPoint Anology

Slide 9

Address Binding Contract

Address

Combination of transport, server name, port & path

Transport is determined by the binding

Examples

http://localhost:8001

https://localhost:8001

net.tcp://localhost:8002/MyService

net.msmq://localhost/MyService

Slide 10

Bindings

Transport

- HTTP/S

- TCP

- MSMQ

Message formats and encoding

- Plain text

- Binary

- Message Transmission Optimization Mechanism (MTOM)

Communication security

- No security

- Transport security

- Message security

- Authenticating and authorizing callers

Slide 11

Out of the box Bindings

BasicHttpBinding

WSHttpBinding

WS2007HttpBinding

WSDualHttpBinding

WSFederationHttp

Binding

WS2007FederationHttpBinding

NetTcpBinding

NetNamedPipeBinding

NetMsmqBinding

NetPeerTcpBinding

WebHttpBinding

MsmqIntegrationBinding

Slide 12

Contracts

Service contracts

- Defines operations, communications and behaviors.

Data contracts

- Defines data entities and parameter types.

Fault contracts

- Defines error types

Message contracts

- Defines message formats

Slide 13

Service Contracts

[ServiceContract] – Defines a ‘set’ of operations

[OperationContract] – Defines a single method

Slide 14

[ServiceContract]public interface IService{

[OperationContract]string GetData(int value);

}

public class ConcreteService : IService{

public string GetData(int value){ ... }

public string OtherMethod(){ ... }

}

Data Contracts

[DataContract] – Specifies type as a data contract

[DataMember] – Members that are part of contract

Slide 15

[DataContract]public class CustomType{

[DataMember]public bool MyFlag { get; set; }

[DataMember]public string MyString { get; set; }

}

Hosting

IIS

- HTTP only

- Process recycling, failover protection, common config

WAS (Windows Activation Service)

- Can use any transport

- Vista and Windows Server 2008 only

Self hosting

- Can use any transport

- Can be hosted within Console, WinForms, etc Applications

Windows Service

- Can use any transport

Slide 16

WCF Security Overview

Slide 17

WCF Security

WCF Security Provides:

Authentication – Identifying the message sender

Integrity – Signed msgs to ensure not altered

Confidentiality – Encryption

Authorization – Determines functionality entitled to execute

Your binding selection will influence the available configuration

options for the service security policy.

18

WCF Security

Programming WCF security is based on three steps setting the

following:

- the security mode

- a client credential type

- the credential values.

19

WCF Binding Comparison

20

Binding SecurityDefault

Transport Protocol

EncodingDefault

Host

basicHttpBinding None,Transport, Message,

Mixed

HTTP Text/XML, MTOM IIS, WAS

wsHttpBinding Message, Transport, Mixed

HTTP Text/XML, MTOM IIS, WAS

netTcpBinding Transport, Message, Mixed

TCP Binary WAS

netNamedPipeBinding

Transport, None Named Pipe Binary WAS

netMsmqBinding Message, Transport, None

TCP Binary WAS

netPeerTcpBinding Transport P2P Binary -

WCF Binding Comparison

Binding Interoperability Security

(Default)

Session (Default) Encoding

(Default)

Streaming

(Default)

BasicHttpBinding Basic Profile 1.1 (None),

Transport,

Message, Mixed

(None) Text, (MTOM) Yes

(buffered)

WSHttpBinding WS Transport,

(Message),

Mixed

(None), Reliable

Session, Security

Session

(Text), MTOM No

WSDualHttpBinding WS (Message),

None

(Reliable Session),

Security Session

(Text), MTOM No

WSFederationHttpBinding WS-Federation (Message),

Mixed, None

(None), Reliable

Session, Security

Session

(Text), MTOM No

NetTcpBinding .NET (Transport),

Message, None,

Mixed

(Transport), Reliable

Session, Security

Session

Binary Yes

(buffered)

NetNamedPipeBinding .NET (Transport),

None

None, (Transport) Binary Yes

(buffered)

NetMsmqBinding .NET Message,

(Transport),

None

(None), Transport Binary No

NetPeerTcpBinding Peer (Transport) (None) No

MsmqIntegrationBinding MSMQ (Transport) (None) n/a No

BasicHttpContextBinding Basic Profile 1.1 (None),

Transport,

Message, Mixed

(None) Text, (MTOM) Yes

(buffered)21

Setting the Binding

1. Select one of the predefined bindings appropriate to your application

requirements.

By default, nearly every binding has security enabled.

The binding you select determines the transport. For

example, WSHttpBinding uses HTTP as the

transport; NetTcpBinding uses TCP.

<system.serviceModel>

<services>

<service name=“LunchLearn.TestService" >

<endpoint contract="LunchLearn.ITestService“ binding="wsHttpBinding"/>

</service>

</services>

</system.serviceModel>

22

Setting the Security Mode

2. Select one of the security modes for the binding. Note that the binding

you select determines the available mode choices

You have three choices:

Transport

Message

TransportWithMessageCredential

<wsHttpBinding>

<binding name="wsHttp">

<security mode="Message">

<message clientCredentialType="UserName" />

</security>

</binding>

</wsHttpBinding>

23

Transport

Transport security depends on the mechanism that the binding you've

selected uses. For example, if you are using WSHttpBinding then the

security mechanism is Secure Sockets Layer (SSL)

Pro: Generally speaking, good throughput no matter which transport

you are using.

Con: Security is implemented in a hop-by-hop manner rather than end-

to-end.

If you decide to use transport security for HTTP (in other words,

HTTPS), you must also configure the host with an SSL certificate and

enable SSL on a port.

24

Message

Each message is encrypted

Pros:

End to End Security

Because the composition of the headers varies, you can include any

number of credentials for interoperability

Con:

Little bit of overhead, encrypting each message.

25

Setting the Client Credential Type

The choice of client credential type depends on the security

mode in place. For transport security you can require a

Windows credential or certificate

Message security supports any of the following settings

for clientCredentialType:

None

Windows

UserName

Certificate

IssuedToken

26

Setting the Client Credential Type

This code snippet illustrates how to select

a clientCredentialType for message security.

<wsHttpBinding>

<binding name="wsHttp">

<security mode="Message">

<message clientCredentialType=“Windows"

algorithmSuite="TripleDes" />

</security>

</binding>

</wsHttpBinding>

27

Role-Based Authorization

The identity of the caller is attached to the executing request thread in the form of a

security principal, accessible through the CurrentPrincipal property.

System.Threading.Thread.CurrentPrincipal

Implements System.Security.Principal.Iprincipal

This interface has two members:

A read-only Identity property that returns a reference to the IIdentity for the request.

When IsInRole() is invoked, it uses the configured RoleProvider to check if this

identity is in the specified role.

28

Role-Based Authorization

Using the PrincipalPermission Object

Is the user authenticated?

Is the user in a particular role?

Is a particular user calling?

[PrincipalPermission (SecurityAction.Demand, Role = "Administrators")]

public string AdminsOnly() {

// protected code

}

public string AdminsOnly() {

// unprotected code

PrincipalPermission p = new PrincipalPermission(null, "Administrators");

p.Demand();

// protected code

}29

Claims-Based Identity Model

The identity model in WCF supports a rich, claims-based approach to

authorization. Can add a welcome layer of granularity.

Claims can be proof of possession of information such as an e-mail

address, birth date, or first and last name.

Custom claims can be created to indicate the ability to access specific

business entities or their storage location.

30

Claims-Based Identity Model

ServiceSecurityContext security = OperationContext.Current.ServiceSecurityContext;

string user = security.PrimaryIdentity.Name;

string email = null;

IEnumerable<Claim> claims = security.AuthorizationContext.ClaimSets[0].FindClaims(

ClaimTypes.Email,Rights.PossessProperty);

foreach (Claim c in claims) {

email = c.Resource as string;

}

if (string.IsNullOrEmpty(user) || email == null) throw new SecurityException(

"Unauthorized access. Email claim not found.");

31

Sample Config

http://www.devx.com/codemag/Article/33342/1763?supportItem=6

32

Impersonation

When Windows credentials are used, the service can be configured to

impersonate callers so that the request thread operates under the

impersonated Windows token.

[OperationBehavior(Impersonation = ImpersonationOption.Allowed)]

public string DoSomething() { ... }

ImpersonationOption.NotAllowed. The caller will not be impersonated.

ImpersonationOption.Allowed. The caller will be impersonated if a Windows

credential is provided.

ImpersonationOption.Required. The caller will be impersonated and a Windows

credential must be provided to support this.

33

Impersonation

You can also set this for all operations by declaratively

<behaviors>

<serviceBehaviors>

<behavior name="serviceBehavior">

<serviceAuthorization

impersonateCallerForAllOperations=“true"/>

</behavior>

</serviceBehaviors>

</behaviors>

34

Summary

Which binding to use:

WSHttpBinding – Default security for message encryption

BasicHttpBinding

NetMsmqBinding

Questions?

Slide 36

Slides re-used from

http://blogesh.wordpress.com/2009/02/11/wcf-

presentation-slides/

RSM McGladrey, Inc.

80 City Square

Boston, MA 02129

www.mcgladrey.com