WCF : Security

1.    When speaking on WCF security what all is controllable?

When accessing WCF service we can control following:

ü  Can any client call the service or do you want to control who can call the service?

ü  Can any client call any method of the service or do you want to control what clients can call what methods?

ü  Can any client execute all of the code in a method or do you want to control what clients can execute what code?

2.    What do you mean by authentication and authorization in WCF Service?

ü  Authentication enables you to identify clients that call the service. Authorization enables you to determine what operations authenticated clients can access. You will typically base authorization on roles.

ü  Clients can identify themselves by providing evidence such as a Windows account, a user name / password or a certificate. Clients must also know that they are calling the service they intend to call. Services can identify themselves by providing a certificate.

3.    What are the various security WCF provides out of box?

a.       Transport level Security

b.       Message level security

ü  If you use transport security, security occurs at the transport level. The packets sent “on the wire” include the caller’s credentials and the message. Both of which are encrypted using whatever mechanism the transport protocol uses. For example, if you use TCP, you will likely use Transport Layer Security (TLS) and if you use HTTPS, you will likely use Secure Sockets Layer (SSL).

ü  If you use message security, the caller’s credentials are included in the message and the message is encrypted using the WS-Security specification.

4.    Compare and Contrast transport-level security/message level security?

ü  It is generally faster to encrypt and decrypt messages that use transport security and you can benefit from hardware acceleration to improve performance.

ü  A downside to transport security is that messages are encrypted only from point to point. Suppose a client sends a message to a service. The client encrypts the message and the service decrypts it. If the service then forwards the message to another service, the service forwarding the message will not automatically encrypt it. This is not an issue with message security because the service will encrypt the message before passing it on to another service.

ü  A downside to message security is that it requires both clients and services to support the WS-Security specification. Transport security does not have this requirement and is therefore more interoperable.

5.    What are various security configurations possible with WCF?

ü  None. Messages are not secured.

ü  Transport. Messages are secured using transport security. You will use this in the sample applications that demonstrate the first two scenarios (internal self-hosted and Web-hosted services).

ü  Message. Messages are secured using message security. You will use this in the sample application that demonstrates the first scenario (internal self-hosted service).

ü  TransportWithMessageCredential. Message protection and authorization occur at the transport level and credentials are passed with the message.

ü  TransportCredentialOnly. Credentials are passed at the transport level but the message is not encrypted. This option is available only if you are using the BasicHttpBinding binding.

ü  Both. Messages are secured using both transport level and message level security. This is supported only if you are using Microsoft Message Queue Server.

6.    What are the bindings that support message level security?

ü  WSHttpBinding,

ü  WS2007HttpBinding,

ü  WSDualHttpBinding,

ü  WSFederationBinding and

ü  WS2007FederationBinding.

7.    What are the bindings that support transport level security?

ü   NetTcpBinding,

ü  NetNamedPipesBinding,

ü   NetMsmqBinding,

ü  NePeerBinding and

ü  MsmqIntegrationBinding.

8.    Which binding uses no security?

ü  By default, the BasicHttpBinding binding uses None as its security mode

9.    Which all credential type WCF supports when using Transport level security for authentication?

ü  Windows. The client uses a Windows token representing the logged in user’s Windows identity. The service uses the credentials of the process identity or an SSL certificate. You will use this in the sample application that demonstrates the first scenario (internal self-hosted service).

ü  Basic. The client passes a user name and password to the service. Typically, the user will enter the user name and password in a login dialog box. The service uses a SSL certificate. This option is available only with HTTP protocols. You will use this in the sample application that demonstrates the second scenario (internal Web-hosted service).

ü  Certificate. The client uses an X.509 certificate and the service uses either that certificate or an SSL certificate.

ü  NTLM. The service validates the client using a challenge/response scheme against Windows accounts. The service uses a SSL certificate. This option is available only with HTTP protocols.

ü  None. The service does not validate the client.

10.Which all credential type WCF supports when using Message level security for authentication?

ü  Windows. The client uses a Windows token representing the logged in user’s Windows identity. The service uses the credentials of the process identity or an SSL certificate. You will use this in the sample application that demonstrates the first scenario (internal self-hosted service).

ü  UserName. The client passes a user name and password to the service. Typically, the user will enter the user name and password in a login dialog box. The service can validate the user name and password using a Windows account or the ASP.NET membership provider. You will use this in the sample application that demonstrates the third scenario (public Web-hosted service).

ü  Certificate. The client uses an X.509 certificate and the service uses either that certificate or an SSL certificate.

ü  IssueToken. The client and service use the Secure Token Service, which issues tokens the client and service trust. Windows CardSpace uses the Secure Token Service.

ü  None. The service does not validate the client.

11.How does WCF authorize a user?

ü  Role-based. Access to a service and to operations of the service is based on the user’s role. All of the samples in this tutorial demonstrate the use of role-based authorization.

ü  Identity based. Access is based on claims made within the user’s credentials. This is an extension to role-based authorization and provides a more fine grained approach. This approach will typically be used with issue token authentication.

ü  Resource based. Resources, such as WCF services, are secured using Windows Access Control Lists (ACLs).

When deciding the user role following are the options.

ü  Windows groups. You can use the built-in Windows groups such as Administrators or Power Users or create your own Windows groups. internal self-hosted and Web-hosted services.

ü  Custom roles. You can create roles that are specific to your application, such as Manager, Employee, Administrator, etc.

ü  ASP.NET role management. You can use the ASP.NET role provider and use roles you have defined for a Web site. Public Web-hosted service.