Login | Register   
RSS Feed
Download our iPhone app
Browse DevX
Sign up for e-mail newsletters from DevX


Windows Communication Foundation: The Security Model : Page 4

Securing communications has never been easier. See how to set up the Windows Communication Foundation (WCF) on your system, and use configuration-based security to add or change the security requirements for your applications.




Full Text Search: The Key to Better Natural Language Queries for NoSQL in Node.js

Date: 1/31/2018 @ 2 p.m. ET

Configuring Security Certifactes
After you have a certificate, you can use it to authenticate yourself to the service. To set the service up to handle the certificate, configure the endpoint in web.config as follows:

<bindings> <wsHttpBinding> <binding configurationName="Binding1"> <security mode="Message"> <message clientCredentialType="Certificate"/> </security> </binding> </wsHttpBinding> </bindings>

This probably looks familiar—and it should, because it's almost identical to the way that you set up the configuration for Windows authentication earlier. All you have to do is change the message client credential type to 'Certificate'.

To recap—each service is configured with a service description in web.config that specifies the endpoint and the behavior. The endpoint specifies the binding. The binding specifies the security type. The knee bone is connected to the thigh bone, etc.

Finally, you need to set up the binding behavior to inform the service of the certificate and how to handle it. To do that, you configure the behavior (pointed to by the service configuration) to recognize the certificate. You would do it something like this:

<behaviors> <behavior configurationName= "TemperatureServiceBehavior" returnUnknownExceptionsAsFaults="true" > <serviceCredentials> <serviceCertificate findValue="localhost" storeLocation="LocalMachine" storeName="My" x509FindType="FindBySubjectName" /> </serviceCredentials> </behavior> </behaviors>

As you can see, the preceding behavior is set up with service credentials configured to use a service certificate.

On the server side, pulling information out of the security context is a little different. Because this is certificate-based, you don't use the Windows Principal object—you use the ServiceSecurityContext object instead (found in the System.ServiceModel namespace, the core of WCF) like this:

String strName = ServiceSecurityContext.Current. PrimaryIdentity.ToString();

Setting up your client to pass certificates to the server is also pretty straightforward. You simply generate the proxy using the svcutil tool (see the WCF primer article for more details) and consume the proxy within your client code.

Security is at the heart of the Windows Communication Foundation, which has been designed carefully to allow you to build security into your applications as unobtrusively as possible. As demonstrated in this article, you were able to build a service/client pair for Windows-based and Certificate-based WSSecurity without changing your code in any great way—the changes were all configuration driven. This is the heart of WCF; it lets you concentrate on building business logic, and then empower it for secure, reliable, and transactable connectivity in as easy a way as possible.

At this point, getting WCS up and running with a development environment is difficult, but that will improve over time. By carefully following the installation procedures and sequences described in this article, you should be able to get up and running quickly (it took me several days to set up my first system, but after working out the kinks and following the installation procedures, I got it down to a couple of hours). The best resource to work from (other than this article!) is to unzip the Allsamples.zip file that gets installed with the WinFX SDK. I recommend that you use those samples as a reference for configuring security in your WCF applications, as there are many examples, each having a configuration for each type of security methodology. Above all, have fun!

Laurence Moroney is a freelance enterprise architect who specializes in designing and implementing service-oriented applications and environments using .NET, J2EE, or (preferably) both. He has authored books on .NET and Web services security, and more than 30 professional articles. A former Wall Street architect, and security analyst, he also dabbles in journalism, reporting for professional sports. You can find his blog at http://www.philotic.com/blog.
Comment and Contribute






(Maximum characters: 1200). You have 1200 characters left.



Thanks for your registration, follow us on our social networks to keep up-to-date