WCF Security Resources
http://msdn.microsoft.com/en-us/library/ff647145.aspx
Tool: Microsoft Service Trace Viewer
Core Concept
Transfer Security
Transport security : SSL, point to point
Security Sockets Layer (SSL)
point-to-point
Message security: protect the actual context
Web services security (WS*)
WCF Security Setting
Security Mode
Transport:
e.g.:
<netTcpBinding> (typicailly used in intranet,binary,encoding) - point to point
<binding name="xxx">
<security mode="Transport">
<transport clientCrendentialType="Windows"/>
Message
e.g.:
<wsHttpBinding> (typicailly used in internet)
<binding name="xxx">
<security mode="Message">
<transport clientCrendentialType="UserName"/>
Mixed (transport+message)
e.g.:
<basicHttpBinding>
<binding name="xxx">
<security mode="TransportWithMessageCredentail">
<transport/>
<message clientCredentialType="UserName"/>
Protection Level (for message level protection only NOT transport level)
By Default (for secure bindings):
all messages are signed and encrypted
None
Sign
e.g.:
<netTcpBinding> (typicailly used in intranet,binary,encoding) - point to point
<binding name="xxx">
<security>
<transport protectionLevel="Sign"/>
OR
[OperationContract(ProtectionLevel=ProtectionLevel.Sign)]
string HelloWorld(string inputString)
EncryptAndSign (Default)
Client credentials
Windows(domain)
Username and passwords
X.509 certificates
Issue security assertion markup language(SAML) token
Service credentials
Windows(domain) : local
X.509 certificates : service to service,public key at client side to encrypt the message
Impersonation (Intranet)
NotAllowed
Allowed
Required
Credential negotiation
Secure sessions
Authentication and authorization behaviors
Authentication
<serviceCredentials>
<windowsAuthentication
<userNameAuthenctication
<clientCertificate
<authentication
ServiceAuthorization
<serviceAuthorization principalPermissionMode="UseAspNetRole"/>
http://msdn.microsoft.com/en-us/library/ff647145.aspx
Tool: Microsoft Service Trace Viewer
Core Concept
Mutual Authentication: sender and reciver identity one another
Authroization
Confidentiality: message only review by target person
Integrity : message from sender to reciver not change
(digital singature)
Reliablity: message replay
Transfer Security
Transport security : SSL, point to point
Security Sockets Layer (SSL)
point-to-point
Message security: protect the actual context
Web services security (WS*)
WCF Security Setting
Security Mode
Transport:
e.g.:
<netTcpBinding> (typicailly used in intranet,binary,encoding) - point to point
<binding name="xxx">
<security mode="Transport">
<transport clientCrendentialType="Windows"/>
Message
e.g.:
<wsHttpBinding> (typicailly used in internet)
<binding name="xxx">
<security mode="Message">
<transport clientCrendentialType="UserName"/>
Mixed (transport+message)
e.g.:
<basicHttpBinding>
<binding name="xxx">
<security mode="TransportWithMessageCredentail">
<transport/>
<message clientCredentialType="UserName"/>
Protection Level (for message level protection only NOT transport level)
By Default (for secure bindings):
all messages are signed and encrypted
None
Sign
e.g.:
<netTcpBinding> (typicailly used in intranet,binary,encoding) - point to point
<binding name="xxx">
<security>
<transport protectionLevel="Sign"/>
OR
[OperationContract(ProtectionLevel=ProtectionLevel.Sign)]
string HelloWorld(string inputString)
EncryptAndSign (Default)
Client credentials
Windows(domain)
Username and passwords
X.509 certificates
Issue security assertion markup language(SAML) token
Service credentials
Windows(domain) : local
X.509 certificates : service to service,public key at client side to encrypt the message
Impersonation (Intranet)
NotAllowed
Allowed
Required
Credential negotiation
Secure sessions
Authentication and authorization behaviors
Authentication
<serviceCredentials>
<windowsAuthentication
<userNameAuthenctication
<clientCertificate
<authentication
ServiceAuthorization
<serviceAuthorization principalPermissionMode="UseAspNetRole"/>