Browse DevX
Sign up for e-mail newsletters from DevX


Windows Communication Foundation: The Security Model : Page 3

Securing communications has never been easier. See how to set up the Windows Communication Foundation (WCF) on your system, and use configuration-based security to add or change the security requirements for your applications.




Building the Right Environment to Support AI, Machine Learning and Deep Learning

Programming Security
Developing secure applications in WCF is pretty straightforward. There are lots of methods by which you can secure an application, but this article concentrates on the WS-Security methodologies. In the WCF primer you built a simple service that provides temperature conversion from Farenheit to Centigrade and vice-versa. In this article, you'll see how simple it is to adjust that example to handle authorization and authentication credentials.

When building services for security, the key is in how you configure the web.config file at the service level. You configure security in the node, which is probably best demonstrated by an example. To configure your service to handle WSSecurity with Windows Authentication, you would have a bindings node defined like this:

<bindings> <wsHttpBinding> <binding configurationName="Binding1"> <security mode="Message"> <message clientCredentialType="Windows"/> </security> </binding> </wsHttpBinding> </bindings>

Using that configuration applies the "Message" security to the binding called Binding1, using the message credential type "Windows." Therefore the user's Windows ID is passed to the service where it may be parsed to apply specific permissions. Within the service, you can use the CurrentPrincipal entity to retrieve details about the caller. For example, if you simply want the caller's name you could use code like this:

String strName = Thread.CurrentPrincipal.Identity.Name;

Although configuring security in a configuration file rather than in code may seem dangerous, it makes switching to different authentication schemes very straightforward under WCF. For example, if you wanted to use a certificate-based authentication scheme instead, you would first need a set of certificates. You can create these using the certmgr.exe utility in the following fashion from a DOS prompt or in a batch file:

To delete existing client certificates:

certmgr -del -r CurrentUser -s My -c -n %CLIENT_NAME% certmgr -del -r CurrentUser -s TrustedPeople -c -n %SERVER_NAME%

To delete existing server certificates:

certmgr -del -r LocalMachine -s My -c -n %SERVER_NAME% certmgr -del -r LocalMachine -s TrustedPeople -c -n %CLIENT_NAME%

To create new client certificates:

makecert.exe -sr CurrentUser -ss MY -a sha1 -n CN=%CLIENT_NAME% -sky exchange --pe certmgr.exe -add -r CurrentUser -s My -c -n %CLIENT_NAME% -r LocalMachine -s TrustedPeople makecert.exe -sr LocalMachine -ss MY -a sha1 -n CN=%SERVER_NAME% -sky exchange --pe

To copy server certificates to a client's CurrentUser store and set privileges:

certmgr.exe -add -r LocalMachine -s My -c -n %SERVER_NAME% -r CurrentUser -s TrustedPeople for /F "delims=" %%i in ('"%WINFXSDK%\bin\FindPrivateKey.exe" My LocalMachine -n CN^=%SERVER_NAME% -a') do set PRIVATE_KEY_FILE=%%i set WP_ACCOUNT=NT AUTHORITY\NETWORK SERVICE (ver | findstr "5.1") && Set WP_ACCOUNT=%COMPUTERNAME%\ASPNET echo Y|cacls.exe "%PRIVATE_KEY_FILE%" /E /G "%WP_ACCOUNT%":R iisreset

The preceding commands may seem like a bit of a mouthful, but you'll soon get used to them. As I mentioned earlier, the install copies, but does not install the samples; but if you unzip the AllSamples.zip file that comes with the WinFX SDK you'll find lots of samples showing how to use WCF. When a sample uses certificates, you'll find a batch file already present that executes all these commands for you. For example, check out the sample in the Basic\Binding\WSProfile\WSSecurity\Certificate subdirectory).

Comment and Contribute






(Maximum characters: 1200). You have 1200 characters left.



Thanks for your registration, follow us on our social networks to keep up-to-date