WCF Security & Types

There are two types of Security implemented in WCF:
Transport Level  :- It means securing the meadiums on which data travels.
Message Level :- It means securing the actual data packets sent by WCF.

Transport median (like HTTP, TCP, MSMQ etc) itself provide security features like HTTP can have SSL security (HTTPS).

Message security is provided using WS-Securities like message encrypted using encryption algo, message encrypted using X-509 certificate, message protected using username/password.

WCF gives option to either use Message/Transport level security standalone or combination of both.

We will implement combination of both below.

Step 1:- Customize WsHttp binding with Security mode & Credential Type
Configure wsHttp binding with Security Mode & Credential Type. There are three options for security mode i.e.
Transport,
Message &
TransportWithMessageCredential

Now as we are implementing dual security so we will use TransportWithMessageCredential mode where Transport level security is provided by SSL & Message security is provided by Username-Password.
Secondly CredentialType needs to be provided out of
none,
windows,
username,
certificate &
issued token

We will be using CredentialType as username.
Below are the changes done in web.config:

<bindings>
<wsHttpBinding>
<binding name=”Binding1″>
<security mode=”TransportWithMessageCredential”>
<message clientCredentialType=”UserName” />
</security>
</binding>
</wsHttpBinding>
</bindings>

Step 2:- Create Custom Validator Class
After customizing wsHttp binding, we need to create custom validator class for authentications.
To create the custom validator class you need to inherit it from “UserNamePasswordValidator” class & override Validate() method.

class MyValidator : UserNamePasswordValidator
{
protected override void Validate(string userName, string password)
{
if(userName==”Dev” && password=”pass123″)
{
//
}
else
{
throw new FaultException(“Invalid Credentials”);
}
}
}

The faultException is handled by WCF client if the credentials are not valid.

Step 3:- Define Runtime behavior.
Now we need to execute MyValidator class for the Username provided inthe WCF service by WCF client. So for this we add behavior

<behaviors>
<serviceBehaviors>
<serviceCredentials>
<userNameAuthentication userNamePasswordValidationMode=”Custom”
customUserNamePasswordValidatorType=”MyValidator” />
</serviceCredentials>
</serviceBehaviors>
</behaviors>

Step-4 :- Define SSL for your WCF Service
Step 5:- Consume WCF service
Step 6:- Run WCF Service
Above three steps are explained in below link
http://www.dotnetfunda.com/articles/article891-6-steps-to-implement-dual-security-on-wcf-using-user-name-ssl.aspx

Leave a comment

Filed under WCF

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s