Blogger news

Blogger templates

Wednesday, August 31, 2011

WCF Security Fundementals

WCF provides three important security features

a. a . Confidentiality
b. Integrity
c. Authentication

Security is on by default in almost all bindings. We can configure transport vs message using the security mode property that i will explain later. We can configure authentication via ClientCredentialType property also will explain later.

WCF provided numerous authorization options,
a. Impersonation
b. Role-Based access control
c. Service authorization behaviour.

WCF provides basic protection that we need,

a. Confidentiality- Encrypting messages which mitigates eavesdropping attacks.
b. Integrity- Signing messages mitigates tampering and replay attacks
c. Authentication- Proof of identity mitigates spoofing and impersonation attacks.

Developers can set the required protection level on contracts. The host will fail if the required protection level is not met by an end point. We can set protection level at different scopes.

a. On a particular message.
b. On individual operation and fault contract
c. On a service contract

Simply use ProtectionLevel property on the appropriate attribute. It comes with three values,

a. None
b. Sign
c. EncryptandSign

Configuring binding security settings

Windows Integrated Authentication: Find the picture below to know the settings for Windows Integrated Authentication.

Service supplies x.509 certificate and client supplies user name and password. Find the picture below to know the settings for that

Transport security:
Each transport typically has a built in security layer that can use,
HTTP using SSL, TCP/NP using kerbros, MSMQ using certificates.

Transport security provides point to point security between nodes as shown below,

Transport security tradeoffs:

Message security: Message security pushes authentication down into the SOAP. It provide same security features as transport security but in a transport neutral way, pushes security into SOAP messages.
Message security provided end-to-end security solution across all nodes.

Message security tradeoffs:

No comments:

Post a Comment