Thursday, August 16, 2007

* WCF : Understanding Security

Previous Post <<-- WCF : Service Instances and Sessions

By now I have completed most of the mandatory features of WCF which any WCF developer should know except 'Security' which I will cover in this post. After this we will scope, design and develop our WCF real world application. If you have any ideas about real world application which we can use, pls let me know.

Security requirements from any distributed technology can be classified into one of the following :

  1. Authentication (client & service)
  2. Confidentiality
  3. Integrity
  4. Replay Attacks
  5. Authorization (Access control)
  6. Evidence based Security ( Auditing)

For 1, 2 & 3 WCF provides mainly three modes to ensure security apart from 'None'.

  • Transport : Transport protocol is responsible for it e.g. Https
  • Message : SOAP message security according to WS-Security standards
  • Mixed Mode : Transport Security is used for Integrity, Confidentiality and Server Authentication. Message security for client authentication.

Transport mode is recommended for homogenous environment like 'All Windows' environment as it is most performing and required least of coding.

Message is very flexible and can be used to implement security requirements in heterogeneous environment which is not based on standards.

Mixed Mode gives best of both the other modes. Is recommended for Web based scenarios.

Replay Attacks are taken care by Transport security if Transport or Mixed Mode are used. For Message Mode, WCF provides various settings which can be used as part of Custom Binding like 'DetectReplay' , 'MaxClockSkew', 'ReplayWindow'.

Authorization can be implemented using various mechanism provided by .NET framework and ASP.NET engine e.g. PrincipalPermissionAttribute, ASP.NET membership and role providers.

While WCF provides exhaustive Message logging and tracing infrastructure, the security audit can also be enabled using configuration by using ServiceSecurityAudit behavior.

Above was the overview of main security features available in WCF, we will try to cover most of them in our final application.

1 comment:

  1. We have a requirement in one of our projects like WCF client to access ASMX web service using X.509 certificate security. When we try to access the web service from WCF client, WCF is expecting the timestamp in response SOAP header to be signed. In our service we never sign the response with WSE2.0. We don't want to change anything except configuration in service side because so many various consumers are accessing the same service. When we disable the security WCF is successfully getting the response.
    Do you have any solution for this kind of problem?