WCF Security
Basic Concept:
-MutualAuthentication: sender and receiver to identity one another
-Authorization:rights I have
-Confidentiality:view/hide information base on my permission
-Integrity: messagenot be altered(Note: use singature)
-Reliablility:preventing replay and Dos
Transfer Security
-Transport level
-Message level
-Web Services Security(WS*)
Transport Security
-Case: (intranet) +use transport security + netTCPBinding if behind firewall
Message Security
-Case: (interenet)+ use message security+ wsHttpBinding
Protection Level(by default - encrpt and sign)
-Transport Level
-TCP or Namepipe or MSMQ - protection Level can bethrottle to only "encrypt" or "sign"
-SSL, protectionLevel always be "encrypt andsign"
-Message Level
-partial message body protection && minimum protectinon level
e.g:[OperationContract(ProtectionLevel=ProtectionLevel.Sign)]
-set the miniumprotectinon level
Client Credentails
-Windows
-Username andpassword
-X.509 certificate
-SAML (FederationSecurity, Single Sign On)
Service Credentails
-Windows
-X.509 certificate
*When client usewindows credentails, so does the service
*When client usethird-party credentails, service must provide a certificate
-to pretect transfer and identify service itself
Intranet
-usually useWindows credentails
-usually NOT ALLOWImpersonation
-e.g.:
-in intranet: user number is limit, so not needimpersonation to retrive resource
-in internet: user number is unlimit, usuallyimpersonate to IIS, IUSER_XXX to retrive resource
Impersonation
-Service
-[OperationBehaviorAttribute]
-e.g.:[OperationBehaviorAttribute(Impersonation=ImpersonationOption.NotAllowed)]
-ServiceAuthorization behavior
-e.g.:<serviceAuthoriaztionimpersonateCallerForAllOperations=false/>
-Client
-TokenImpersonationLevel
-e.g.:proxy.ClientCredentials.windows.AllowedImpersonationLevel=
TokenImpersonationLevel.Identification
-.None
-.Anonymous
-.Identification
-.Impersonation=>use local account, service side account
-.Delegation=>use remote account, client side account
Service Certificate
-e.g.:<serviceCredentails>
<serviceCertificatefindValue="subjectkey" storeLocation=""storeName="" x509FindTYpe=""/>
Client Certificate
-e.g.:<clientCredentails>
<clientCretificatefindVluae="subjectkey" storeLocation=""storeName="" x509FindTYpe=""
Negotiation
-get public key innegotiation exchange,not need to install service cert in client
- Windows - SPNego
- Certificate -TLSNego
Secure Sessions
-Reduce every call to pass crendentail to service, authenticate client once
-Security contexttoken(SCT) generateed for authentication and message protection
-e.g.:<securitymode="Message"><messageclientCredentailType="UserName"establishSecurityContext="false"/>
(Learning WCF) Authentication, Authorization, andIdentities
ServiceSecurityContext
-PrimaryIdentity
-Contains areference to an IIdentity type such as WindowsIdentity or GenericIdentity,representing the authenticated caller.
-WindowsIdentity
Contract Versioning
Versioning Issue
-Once published, the WSDL contract is final
Version Tolerance (by default)
-Client send exact data, Service throw it away by default
-Forgive missing field, if the field is non-required data
-All aboveare handled by DataContractSerializer
-Reasonable changes can be made without impact to existing clients and service
e.g.: remove non-required fileds, add new operation
IExtensibleDataObject
-Client send exact data, Service preserve data and send back to client
-Servicereturn information with exact fields, Client preserve data and send back toservice
-IExtensibleDataObjectis use memory dictionary
-Implementation
e.g.:
publicclass LinkItem : IExtensibleDataObject
{
privateExtensionData m_extensionData;
publicExtensionDataObject ExtensionData
{
get{returnm_extensionData;}
set{m_extensionData=value;}
}
}
Disabling IExtensibleDataObject
-<ServiceBehavior>
<behaviorname="serviceBehavor">
<dataContractSerializerignoreExtensionDataObject="true"/>
OR
[ServiceBehavior(IgnoreExtensionDataObject=true))]
public class TestService:
{
}
Versioning Strategies
-StrictVersioning
-PracticalVersioning
-backwardand forward compatibility
Versioning Approach: Inheritance
-e.g.:
[ServiceContract(Name="ServiceContract",Namespace="http://myservice
/2006/06")]
publicinterface IServiceA
{
[OperationContract]
stringOperation1();
[OperationContract]
stringOperation2();
}
[ServiceContract(Name="ServiceContract",Namespace="http://myservice
/2006/07")]
publicinterface IServiceA_2:IServiceA
{
[OperationContract]
stringOperation3();
}
Versioning Approach: Semi=strict (Add new Endpoint to trackusage)
Versioning Approach: No Inheritance
-e.g.:
[ServiceContract(Name="ServiceContract",Namespace="http://myservice
/2006/06")]
publicinterface IServiceA
{
[OperationContract]
stringOperation1();
[OperationContract]
stringOperation2();
}
[ServiceContract(Name="ServiceContract",Namespace="http://myservice
/2006/07")]
publicinterface IServiceA_2
{
[OperationContract]
stringOperation1();
[OperationContract]
stringOperation2();
[OperationContract]
stringOperation3();
}
Data Contract Versioning
-Neverremove/Add requird field
-Don'tchange namespace
Transaction
WCF provides reliability features:
-Reliablesession
-Supportfor transactions
-Durablequeued messaging
ACID properties
-Atomic
-Consistent
-Isolated
-Durable
Two-Phase Commit Protocol
-Phase 1
-Coordinatorask each RM(Resource managers) to commit
-EachRM votes to commit or abort
-Coordinatorcollects all votes and decides outcome
-Phase 2
-Coordinatorasks RM to commit or abort
-RMacknoledges completion if commit request
Durable vs. Volatile RM
-A durableRM can save information durating Phase 1of 2PC to withstand equipment outages
-e.g:SQL Server Database
-Survivemachine restarts
-A volatileRM operations on data in memory
-e.g:transactional dictionary
-Cannotsurvive machine restarts
Resource Manager
-LTM(Lightweight Transaction Manager)
-NOuse distributor coordinator
-KTM(Kernal Transaction Manager)
-DTC(Distributed Transaction Coordinator)
-Corssapp domain, process, and machine boundaries
WCF Transactions
-Enabletransacgtion flow on the binding
e.g:
<bindings>
<netTcpBinding>
<bindingtransactionFlow="true" transactionProtocol="OleTransactions"/>
+flowtransaction from client to service, or service to other service
[TransactionFlow(TransactionFlowOption.Allowed)]
publicvoid SetCount1(){...}
-Transactionprotocal must be selected
-Client call service operations specify support for transactions
e.g.:
using(TransactionScope scope=new TransactionScope(TransactionScopeOption.Required))
{
...
}
-Serviceoperations must explicitly agree to join a transaction or create one
e.g.:
[OpeationBehavior(TransactionScopeRequired=true,TransactionAutoComplete=true)]
[TransactionFlow(TransactionFlowOption.Allowed)]
publicvoid SetCount1(){...}
[OpeationBehavior(TransactionScopeRequired=true)]
[TransactionFlow(TransactionFlowOption.Allowed)]
publicvoid SetCount2(){...}
Enabling Transaction Flow
-TransactionFlow is disable by default
Transaction Flow Options
-NotAllowed
-e.g.:notallowed untrust client to flow their transaction
-protectservice in internet
-Mandatory
-inthis case, client need to have using "TransactionScope"
-Allowed
Transaction Protocol Options
-OleTransactions:crossprocess and network boundaries
-NamedPipes and TCP default
-WSAtomicTransaction11:cross service boundaries over HTTP
-onlyoption for HTTP
Timeout
-e.g.:
<serviceBehviors>
<behavior>
<serviceTimeoutstransactionTimeout="00:00:01">
Isolation Level
Reliable Message
Reliable Sessions
-Delivery guarantees
-Deliveryexactly once
-Deliverin order(if desired)
Enabling Reliable Sessions
e.g.:
<netTcpBinding>
<binding>
<reliableSessionenable="true" ordered="true"inactivityTimeout="00:10:00"/>
<HttpBinding>
<binding>
<reliableSessionenable="true" ordered="true"inactivityTimeout="00:10:00"/>
**Make sure message arrive at service even is one way,otherwise it will block client
WCF Architecture
-A reliablesession is established at the channel layer
-RM(reliableMessageing) Buffers at both ends manage reliablility
-Deliverynotifications handled by acknowledgements send to client channel
-missing acknowledgements will re-try of number of time
WS-RM Message
-CreateSequence
-CreateSequence Response
-SequenceAcknowledgement
-LastMessage
-TerminateSequence
-ACK isreturned with HTTP responses, or in separate message over TCP
Reliable Sessions Configuration
-AcknowledgementInterval
-FlowControl
-howmany room we have in buffer
-*InactivityTimeout
-MaxPending Channels
-Max RetryCount
-MaxTransfer Size Window
-*Ordered
Requiring Ordered Delivery
-e.g:
[ServiceContract]
[DeliveryRequirement(RequireOrderedDelivery=true,TargetContract=Typeof(MyMessage.IMyMessage)]
Retry Attempts
Session Identifiler
-A unqiuesession identifier is required to correlate message between client and servicechannels
SessionTimeout
-receiveTimeout
-reliableSession-inactivityTimeout
-Take theless value of above two