I have read several - too many probably - articles on ways to secure WCF services, from custom token creation, x509 certificates, using guids as tokens, WCF extensions, etc. And to be honest, I am a bit lost - seems there are just SO many different ways
to do it. Here is what my manager is asking : we have library of WCF services that will be accessed from both users with domain (Windows AD) accounts, as well as users from coming from the internet. They want me to implement some kind of security mechanism
that will ensure that only those users/machines/applications that we want to access the services can access them. Simple enough.
My boss has asked me to accomplish this using WCF extensions, presumably as in this example :
HIS boss mentioned something about just using GUIDs for tokens instead of x509 certs. So now I am wondering - if we want message level security, won't we need to use either x509 certs, or do some kind of encryption to keep whatever info is being used for
authentication (username, password) from being sent in clear text?
Sorry if this is all confusing, but if it is, then it clearly captures my thoughts at this time.
So now I am wondering - if we want message level security, won't we need to use either x509 certs, or do some kind of encryption to keep whatever info is being used for authentication (username, password) from being sent in clear text?
If you use message level security for your service, there are various ways you can used to authenticate your clients( you can set it with clientCredentialType), it can be an anonymous client, a certificate client or a Windows client, etc. Somthing like:
qkev111
0 Points
1 Post
Securing WCF service for both intranet and internet consumers
Feb 26, 2013 02:51 PM|LINK
I have read several - too many probably - articles on ways to secure WCF services, from custom token creation, x509 certificates, using guids as tokens, WCF extensions, etc. And to be honest, I am a bit lost - seems there are just SO many different ways to do it. Here is what my manager is asking : we have library of WCF services that will be accessed from both users with domain (Windows AD) accounts, as well as users from coming from the internet. They want me to implement some kind of security mechanism that will ensure that only those users/machines/applications that we want to access the services can access them. Simple enough.
My boss has asked me to accomplish this using WCF extensions, presumably as in this example :
http://msdn.microsoft.com/en-us/library/ms731872.aspx
HIS boss mentioned something about just using GUIDs for tokens instead of x509 certs. So now I am wondering - if we want message level security, won't we need to use either x509 certs, or do some kind of encryption to keep whatever info is being used for authentication (username, password) from being sent in clear text?
Sorry if this is all confusing, but if it is, then it clearly captures my thoughts at this time.
Haixia Xie -...
Contributor
3087 Points
298 Posts
Microsoft
Re: Securing WCF service for both intranet and internet consumers
Mar 05, 2013 07:16 AM|LINK
Hi,
If you use message level security for your service, there are various ways you can used to authenticate your clients( you can set it with clientCredentialType), it can be an anonymous client, a certificate client or a Windows client, etc. Somthing like:
<bindings> <netTcpBinding> <binding name="Windows"> <security mode="Message"> <message clientCredentialType="Windows" /> </security> </binding> </netTcpBinding> </bindings>You can check some common security scenarios.
http://msdn.microsoft.com/en-us/library/ms730301.aspx
Best Regards.
Feedback to us
Develop and promote your apps in Windows Store