WCF FAQ Part 3.doc

8/10/2019 WCF FAQ Part 3.doc

1/34

WCF FAQ Part 3 10 security related FAQ

Introduction and Goal

WCF FAQ Part 1 and 2 series

What are the core security features that WCF addresses?

What is transport leel and !essa"e leel security?

For #hich $indin"s are transport% !essa"e and !i&ed !ode

supported?

'o #hat are the scenarios% adanta"es and disadanta"es of

transport (' !essa"e security?

Can you e&plain a si!ple e&a!ple of ho# to i!ple!enttransport security?

Can you sho# a si!ple e&a!ple of !essa"e leel security ?

What is the difference $et#een )asic*ttp)indin" and

Ws*ttp)indin" ?

Can you sho# the security differences $et#een)asic*ttp)indin" (' Ws*ttp)indin" ?

When should #e use Ws*ttp as co!pared to )asic*ttp ?

*o# can #e ena$le #indo#s authentication on WCF usin"

+)asic*ttp)indin",?

'ource Code

Introduction and Goal

In this article we will start with transport and message security understanding. Wewill then see simple code samples of how to implement transport and message

security using WsHTTP bindings. We will also see what is the difference betweenBasicHttpBinding and WsHttpBinding with the help of a simple source code. WC

security is a huge topic by itself! but we are sure with this article you will get a "uic#

start of how to go about WC security.

I ha$e collected around %&& '( "uestions and answers in WC! WP! WW!

)harePoint! design patterns! *+, etc. eel free to download these '( P-s frommy site http//www."uestpond.com

WCF FAQ Part 1 and 2 series
http://www.codeproject.com/KB/WCF/WCFFAQPart3.aspx#Introduction%20and%20Goal%23Introduction%20and%20Goalhttp://www.codeproject.com/KB/WCF/WCFFAQPart3.aspx#WCF%20FAQ%20Part%201%20and%202%20series%23WCF%20FAQ%20Part%201%20and%202%20serieshttp://www.codeproject.com/KB/WCF/WCFFAQPart3.aspx#What%20are%20the%20core%20security%20features%20that%20WCF%20addresses%23What%20are%20the%20core%20security%20features%20that%20WCF%20addresseshttp://www.codeproject.com/KB/WCF/WCFFAQPart3.aspx#What%20is%20transport%20level%20and%20message%20level%20security%23What%20is%20transport%20level%20and%20message%20level%20securityhttp://www.codeproject.com/KB/WCF/WCFFAQPart3.aspx#For%20which%20bindings%20are%20transport,%20message%20and%20mixed%20mode%20supported%23For%20which%20bindings%20are%20transport,%20message%20and%20mixed%20mode%20supportedhttp://www.codeproject.com/KB/WCF/WCFFAQPart3.aspx#For%20which%20bindings%20are%20transport,%20message%20and%20mixed%20mode%20supported%23For%20which%20bindings%20are%20transport,%20message%20and%20mixed%20mode%20supportedhttp://www.codeproject.com/KB/WCF/WCFFAQPart3.aspx#So%20what%20are%20the%20scenarios,%20advantages%20and%20disadvantages%20of%20transport%20VS%20message%20security%23So%20what%20are%20the%20scenarios,%20advantages%20and%20disadvantages%20of%20transport%20VS%20message%20securityhttp://www.codeproject.com/KB/WCF/WCFFAQPart3.aspx#So%20what%20are%20the%20scenarios,%20advantages%20and%20disadvantages%20of%20transport%20VS%20message%20security%23So%20what%20are%20the%20scenarios,%20advantages%20and%20disadvantages%20of%20transport%20VS%20message%20securityhttp://www.codeproject.com/KB/WCF/WCFFAQPart3.aspx#Can%20you%20explain%20a%20simple%20example%20of%20how%20to%20implement%20transport%20security%23Can%20you%20explain%20a%20simple%20example%20of%20how%20to%20implement%20transport%20securityhttp://www.codeproject.com/KB/WCF/WCFFAQPart3.aspx#Can%20you%20explain%20a%20simple%20example%20of%20how%20to%20implement%20transport%20security%23Can%20you%20explain%20a%20simple%20example%20of%20how%20to%20implement%20transport%20securityhttp://www.codeproject.com/KB/WCF/WCFFAQPart3.aspx#Can%20you%20show%20a%20simple%20example%20of%20message%20level%20security%23Can%20you%20show%20a%20simple%20example%20of%20message%20level%20securityhttp://www.codeproject.com/KB/WCF/WCFFAQPart3.aspx#What%20is%20the%20difference%20between%20BasicHttpBinding%20and%20WsHttpBinding%23What%20is%20the%20difference%20between%20BasicHttpBinding%20and%20WsHttpBindinghttp://www.codeproject.com/KB/WCF/WCFFAQPart3.aspx#What%20is%20the%20difference%20between%20BasicHttpBinding%20and%20WsHttpBinding%23What%20is%20the%20difference%20between%20BasicHttpBinding%20and%20WsHttpBindinghttp://www.codeproject.com/KB/WCF/WCFFAQPart3.aspx#Can%20you%20show%20the%20security%20differences%20between%20BasicHttpBinding%20VS%20WsHttpBinding%23Can%20you%20show%20the%20security%20differences%20between%20BasicHttpBinding%20VS%20WsHttpBindinghttp://www.codeproject.com/KB/WCF/WCFFAQPart3.aspx#Can%20you%20show%20the%20security%20differences%20between%20BasicHttpBinding%20VS%20WsHttpBinding%23Can%20you%20show%20the%20security%20differences%20between%20BasicHttpBinding%20VS%20WsHttpBindinghttp://www.codeproject.com/KB/WCF/WCFFAQPart3.aspx#When%20should%20we%20use%20WsHttp%20as%20compared%20to%20BasicHttp%23When%20should%20we%20use%20WsHttp%20as%20compared%20to%20BasicHttphttp://www.codeproject.com/KB/WCF/WCFFAQPart3.aspx#How%20can%20we%20enable%20windows%20authentication%20on%20WCF%20using%20%E2%80%98BasicHttpBinding%E2%80%99%23How%20can%20we%20enable%20windows%20authentication%20on%20WCF%20using%20%E2%80%98BasicHttpBinding%E2%80%99http://www.codeproject.com/KB/WCF/WCFFAQPart3.aspx#How%20can%20we%20enable%20windows%20authentication%20on%20WCF%20using%20%E2%80%98BasicHttpBinding%E2%80%99%23How%20can%20we%20enable%20windows%20authentication%20on%20WCF%20using%20%E2%80%98BasicHttpBinding%E2%80%99http://www.codeproject.com/KB/WCF/WCFFAQPart3.aspx#Source%20Code%23Source%20Codehttp://www.questpond.com/http://www.codeproject.com/KB/WCF/WCFFAQPart3.aspx#Introduction%20and%20Goal%23Introduction%20and%20Goalhttp://www.codeproject.com/KB/WCF/WCFFAQPart3.aspx#WCF%20FAQ%20Part%201%20and%202%20series%23WCF%20FAQ%20Part%201%20and%202%20serieshttp://www.codeproject.com/KB/WCF/WCFFAQPart3.aspx#What%20are%20the%20core%20security%20features%20that%20WCF%20addresses%23What%20are%20the%20core%20security%20features%20that%20WCF%20addresseshttp://www.codeproject.com/KB/WCF/WCFFAQPart3.aspx#What%20is%20transport%20level%20and%20message%20level%20security%23What%20is%20transport%20level%20and%20message%20level%20securityhttp://www.codeproject.com/KB/WCF/WCFFAQPart3.aspx#For%20which%20bindings%20are%20transport,%20message%20and%20mixed%20mode%20supported%23For%20which%20bindings%20are%20transport,%20message%20and%20mixed%20mode%20supportedhttp://www.codeproject.com/KB/WCF/WCFFAQPart3.aspx#For%20which%20bindings%20are%20transport,%20message%20and%20mixed%20mode%20supported%23For%20which%20bindings%20are%20transport,%20message%20and%20mixed%20mode%20supportedhttp://www.codeproject.com/KB/WCF/WCFFAQPart3.aspx#So%20what%20are%20the%20scenarios,%20advantages%20and%20disadvantages%20of%20transport%20VS%20message%20security%23So%20what%20are%20the%20scenarios,%20advantages%20and%20disadvantages%20of%20transport%20VS%20message%20securityhttp://www.codeproject.com/KB/WCF/WCFFAQPart3.aspx#So%20what%20are%20the%20scenarios,%20advantages%20and%20disadvantages%20of%20transport%20VS%20message%20security%23So%20what%20are%20the%20scenarios,%20advantages%20and%20disadvantages%20of%20transport%20VS%20message%20securityhttp://www.codeproject.com/KB/WCF/WCFFAQPart3.aspx#Can%20you%20explain%20a%20simple%20example%20of%20how%20to%20implement%20transport%20security%23Can%20you%20explain%20a%20simple%20example%20of%20how%20to%20implement%20transport%20securityhttp://www.codeproject.com/KB/WCF/WCFFAQPart3.aspx#Can%20you%20explain%20a%20simple%20example%20of%20how%20to%20implement%20transport%20security%23Can%20you%20explain%20a%20simple%20example%20of%20how%20to%20implement%20transport%20securityhttp://www.codeproject.com/KB/WCF/WCFFAQPart3.aspx#Can%20you%20show%20a%20simple%20example%20of%20message%20level%20security%23Can%20you%20show%20a%20simple%20example%20of%20message%20level%20securityhttp://www.codeproject.com/KB/WCF/WCFFAQPart3.aspx#What%20is%20the%20difference%20between%20BasicHttpBinding%20and%20WsHttpBinding%23What%20is%20the%20difference%20between%20BasicHttpBinding%20and%20WsHttpBindinghttp://www.codeproject.com/KB/WCF/WCFFAQPart3.aspx#What%20is%20the%20difference%20between%20BasicHttpBinding%20and%20WsHttpBinding%23What%20is%20the%20difference%20between%20BasicHttpBinding%20and%20WsHttpBindinghttp://www.codeproject.com/KB/WCF/WCFFAQPart3.aspx#Can%20you%20show%20the%20security%20differences%20between%20BasicHttpBinding%20VS%20WsHttpBinding%23Can%20you%20show%20the%20security%20differences%20between%20BasicHttpBinding%20VS%20WsHttpBindinghttp://www.codeproject.com/KB/WCF/WCFFAQPart3.aspx#Can%20you%20show%20the%20security%20differences%20between%20BasicHttpBinding%20VS%20WsHttpBinding%23Can%20you%20show%20the%20security%20differences%20between%20BasicHttpBinding%20VS%20WsHttpBindinghttp://www.codeproject.com/KB/WCF/WCFFAQPart3.aspx#When%20should%20we%20use%20WsHttp%20as%20compared%20to%20BasicHttp%23When%20should%20we%20use%20WsHttp%20as%20compared%20to%20BasicHttphttp://www.codeproject.com/KB/WCF/WCFFAQPart3.aspx#How%20can%20we%20enable%20windows%20authentication%20on%20WCF%20using%20%E2%80%98BasicHttpBinding%E2%80%99%23How%20can%20we%20enable%20windows%20authentication%20on%20WCF%20using%20%E2%80%98BasicHttpBinding%E2%80%99http://www.codeproject.com/KB/WCF/WCFFAQPart3.aspx#How%20can%20we%20enable%20windows%20authentication%20on%20WCF%20using%20%E2%80%98BasicHttpBinding%E2%80%99%23How%20can%20we%20enable%20windows%20authentication%20on%20WCF%20using%20%E2%80%98BasicHttpBinding%E2%80%99http://www.codeproject.com/KB/WCF/WCFFAQPart3.aspx#Source%20Code%23Source%20Codehttp://www.questpond.com/


2/34


3/34

What is transport leel and !essa"e leel security?

When we tal# about WC security there are two aspects! the first is the data and thesecond is the medium on which the data tra$els i.e. the protocol. WC has the ability

to apply security at the transport le$el 6i.e. protocol le$el7 and also at message le$el6i.e. data7.


4/34

Figure: - Transport and Message level security

Transport le$el security happens at the channel le$el. Transport le$el security is theeasiest to implement as it happens at the communication le$el. WC uses transport

protocols li#e TCP! HTTP! +)+( etc and e$ery of these protocols ha$e their ownsecurity mechanisms. 8ne of the common implementation of transport le$el security

is HTTP). HTTP) is implemented o$er HTTP protocols with )), pro$iding the security

mechanism. 9o coding change is re"uired its more of using the e3isting securitymechanism pro$ided by the protocol.

+essage le$el security is implemented with message data itself. -ue to this it isindependent of the protocol. )ome of the common ways of implementing message

le$el security is by encrypting data using some standard encryption algorithm.

For #hich $indin"s are transport% !essa"e and !i&ed !odesupported?

Note :- The below table is taken from book Pro WF: Practical Microsoft !"#$mplementation -- hris peiris and %enis mulder & #press '(()

Below is a table which shows for which binding which mode is supported. We did not

discuss the mi3ed mode. Its nothing but combination of transport and mi3ed mode.or instance data encrypted and passed o$er WsHttp using HTTP) is a mi3ed mode

of security. 4ncryption is nothing but message security and HTTP) is a transport

mode. In a combination they form mi3ed mode.


5/34

)indin"/ransportode?

essa"eode?

i&edode?

BasicHttpBinding :es :es :es

WsHttpBinding :es :es :es

Ws-ualHttpBinding 9o :es 9o

9etTcpBinding :es :es :es

9et9amedPipeBinding :es 9o 9o

9et+sm"Binding :es :es 9o

+sm"IntegrationBinding :es 9o 9o

'o #hat are the scenarios% adanta"es and disadanta"es oftransport (' !essa"e security?

/ransport essa"e

'cenarios #hen#e should $e

usin" one of the!

When there are no intermediate systems

in between this is the best methodology.

If its an intranet type of solution this is

most recommended methodology.

When there are intermediate

systems li#e one more WC ser$ithrough which message is routed

then message security is the way

go.

Adanta"es

-oes not need any e3tra coding

as protocol inherent security is

used. Performance is better as we can

use hardware accelerators toenhance performance.

There is lot of interoperability

support and communicating

clients do not need to understandW) security as its built in the

protocol itself.

Pro$ides end to end secur

as its not dependent on

protocol. 'ny intermediate

hop in networ# does notaffect the application.

)upports wide set of secu

options as it is not depend

on protocol. We can also

implement custom securit

isadanta"es 's its a protocol implemented

security so it wor#s only point to

point.

's security is dependent on

9eeds application refactor

to implement security.

's e$ery message is

encrypted and signed ther


6/34

protocol it has limited security

support and is bounded to theprotocol security limitations.

are performance issues.

-oes not support

interoperability with old '

webser$ices/

Figure: - *oute paths

Can you e&plain a si!ple e&a!ple of ho# to i!ple!ent transport

security?

,ets ma#e a simple sample which will demonstrate how we can use transportsecurity using WsHttp binding with HTTP) security.

'tep 1- Create a si!ple serice usin" WCF proect

The first step is to create a simple WC pro


7/34

Collapse Copy CodepublicclassService1 : IService1{publicstringGetData(intvalue){returnstring.Format("You entered: {!" value)#!public$omposite%&pe GetData'singData$ontract($omposite%&pe composite){i(composite.ool*alue){composite.String*alue +, "Sui-"#!returncomposite#!!

'tep 2 - 4na$le transport leel security in the #e$5confi" file of the

serice

9e3t step is to enable transport security in WsHttp binding. This is done using the)ecurity ;+, tag as shown in the below code snippet.

Collapse Copy Codebindings/0sttpinding/binding name,"%ransportSecurit&"/securit& mode,"%ransport"/transport client$redential%&pe,"2one"3/3securit&/3binding/30sttpinding/

3bindings/

'tep 3- /ie up the $indin" and specify *//P' confi"uration

We need now tie up the bindings with the end points. )o use thebindingConfiguration tag to specify the binding name. We also need to specify the

address where the ser$ice is hosted. Please note the HTT) in the address tag.

Change me3HttpBinding to me3HttpsBinding in the second end point.

Collapse Copy Codeservice name,"4$F4Sttps.Service1"be5avior$oniguration,"4$F4Sttps.Service1e5avior"/677 Service 8ndpoints 77/endpoint address,"5ttps:33local5ost34$F4Sttps3Service1.svc"binding,"0sttpinding"binding$oniguration,"%ransportSecurit&"contract,"4$F4Sttps.IService1"3/endpoint address,"me-"binding,"me-ttpsinding"contract,"I9etadata8-c5ange"3/3service/

Collapse Copy Code
http://www.codeproject.com/KB/WCF/WCFFAQPart3.aspx#%23http://www.codeproject.com/KB/WCF/WCFFAQPart3.aspx#%23http://www.codeproject.com/KB/WCF/WCFFAQPart3.aspx#%23http://www.codeproject.com/KB/WCF/WCFFAQPart3.aspx#%23http://www.codeproject.com/KB/WCF/WCFFAQPart3.aspx#%23http://www.codeproject.com/KB/WCF/WCFFAQPart3.aspx#%23http://www.codeproject.com/KB/WCF/WCFFAQPart3.aspx#%23http://www.codeproject.com/KB/WCF/WCFFAQPart3.aspx#%23


8/34

In t5e service9etadata; 0e also need to c5ange 5ttpGet8nabled; to5ttpsGet8nabled;.

Collapse Copy Codeservicee5aviors/.................service9etadata 5ttpsGet8nabled,"true"3/..................3servicee5aviors/

'tep 6- a7e the #e$ application *//P' ena$led

9ow that we are done with the WC ser$ice pro


9/34

9ow its time to assign this certificate to your II) website. )o go to II) properties !clic# on directory security tab and you should see ser$er certificate tab.

)o clic# on the ser$er certificate tab and you will then be wal#ed through an II)certificate wi5ard. Clic# 'ssign a e3isting certificate from the wi5ard.


10/34

:ou can see a list of certificates. The @compa"1


11/34


12/34

-o not forget to enable II) anonymous access.

'tep 8- Consu!e the serice in a #e$ application

Its time to consume the ser$ice application in ')P.94T web. )o clic# on add ser$icereference and specify your ser$ice *,. :ou will shown a warning bo3 as shown in

the below figure. When we used ma#ecert.e3e we did not specify the host name as

the ser$ice *,. )o


13/34

'tep 9- 'uppress the *//P' errors

ma#ecert.e3e creates test certificates. In other words its not signed by C'. )o weneed to suppress those errors in our ')P.94T client consumer. )o we ha$e created afunction called as IgnoreCertificate4rrorHandler which return true e$en if there are

errors. This function is attached as a callbac# to)er$icePoint+anager.)er$erCertificatealidationCallbac#.

In the same code you can also see ser$ice consuming code which calls the =et-ata

function.

Collapse Copy CodeusingS&stem#usingS&stem.$ollections.Generic#usingS&stem.pplication$onsumer.Service?eerence1#usingS&stem.2et#usingS&stem.2et.SecuritusingS&stem.Securit&.$r&ptograp5&.@AB$ertiicates#

namespace4eb>pplication$onsumer
http://www.codeproject.com/KB/WCF/WCFFAQPart3.aspx#%23http://www.codeproject.com/KB/WCF/WCFFAQPart3.aspx#%23


14/34

{publicpartial classCDeault : S&stem.4eb.'I.age{

protectedvoidageCrgs e){Serviceoint9anager.Server$ertiicate*alidation$allbac , ne0

?emote$ertiicate*alidation$allbac(Ignore$ertiicate8rrorandler)#Service1$lient obE , ne0Service1$lient()#?esponse.4rite(obE.GetData(1))#!publicstaticboolIgnore$ertiicate8rrorandler(obEectsender @AB$ertiicatecertiicate @AB$5ain c5ain Sslolic&8rrors sslolic&8rrors){returntrue#!!!

'tep :- 4noy success

9ow to the easiest step! compile you ')P.94T client and en


15/34

makecert4e6e -sr urrent7ser -ss My -a sha1 -n N,Wf!erver -skye6change -pe

makecert4e6e -sr urrent7ser -ss My -a sha1 -n N,Wcflient -skye6change -pe

Below is a detailed e3planation of $arious attributes specified in the ma#ecert.e3e.

Attri$ute 4&planation

1sr

)pecifies the registry location of the certificate store. The)ub or )H'0.

1n

)pecifies a name for the certificate. This name must conform to the;.>&& standard. The simplest method is to use the KC9L+y9ameK

format.If the /n switch is not specifiedM the default name of thecertificate is KNoeOs )oftware 4mporiumK.

1s#y)pecifies how will be the #ey type. Can be either e3change orsignature.

1pe This ma#es the #ey e3portable.

Note: - Makecert4e6e is a free tool provided by Microsoft which helps tocreate 843(9 certificate that is signed by a system test root key or by

another specified key4 This is a test certificate and not a real one and should

not be used for production purpose4 For production buy proper certificatesfrom Thawte ;erisign


16/34

'tep 2 - Copy the certificates in trusted people certificates

run and type ++C and press enter. :ou will be popped with the=o to start

'dd/remo$e snap1in.++C console. Clic# on file

:ou will be popped up with a 'dd/emo$e )nap1in ! clic# on the add button ! selectcertificates and select +y user 'ccount.


17/34

:ou can see the certificates created for client and ser$er in the personal certificates

folder. certificates folder.We need to copy those certificates in trusted people

'tep 3 - 'pecify the certification path and !ode in the WCF serice

#e$5confi" file

9ow that we ha$e created both the certificates we need to refer these certificates inour WC pro


18/34

,ets open the web.config file of the WC ser$ice and enter two important things1

Where the certificate is stored! location and how WC application should find thesame. This is defined using ser$iceCertificate tag as shown in the below snippet.

The certification$alidationmode defines how client certificates will beauthenticated.

Certification alidation !ode escription

Chain trustIn this situation the client certificate is $alidated

against the root certificate.

Peer trustPeerTrust ensures that the public #ey portion ofthe certificate is in the Trusted People certificate

folder on the clients computer

Chain8Peertrust This is


19/34

service$ertiicate ind*alue,"4$Server"store$HG?'2D7$$HG?'2D7$


20/34

usingS&stem.4eb.'I#usingS&stem.4eb.'I.4eb$ontrols#">$HG?'2D7$$HG?'2D7$$HG?'2D7$


21/34

3endpointe5aviors/3be5aviors/

'tep ; - /ie up the $ehaior #ith end point on WCF client

We need to tie up the abo$e defined beha$ior with the end point. :ou can see weha$e bounded the beha$ior using beha$iorConfiguration property. We also need tospecify that the -9) $alue will be Wcf)er$er which your ser$er certificate name.

Collapse Copy Codeclient/endpoint address,"5ttp:33local5ost:1KLM3Service1.svc"binding,"0sttpinding"binding$oniguration,"4SttpindingCIService1"contract,"Service?eerence1.IService1"name,"4SttpindingCIService1"">$HG?'2D7$$HG?'2D7$


22/34

Below is a detailed comparison table between both the entities from security!

compatibility! reliability and )8'P $ersion perspecti$e.

Criteria )asic*ttp)indin" Ws*ttp)indin"

)ecurity support This supports the old ')+;style i.e W)1BasicProfile 0.0.

This e3poses web ser$icesusing W)1Q specifications.

Compatibility

This is aimed for clients who

do not ha$e .9et G.& installed

and it supports wider rangesof client. +any of clients li#e

Windows 2&&& still do not

run .94T G.&. )o older $ersionof .94T can consume this

ser$ice.

's its built using W)1Q

specifications it does notsupport wider ranges of client

and it cannot be consumed by

older .94T $ersion less than G$ersion.

)oap $ersion )8'P 0.0)8'P 0.2 and W)1'ddressing

specification.

eliable messaging

9ot supported. In other words

if a client fires two or threecalls you really do not #now

they will return bac# in thesame order.

)upported as it supports W)1Q

specifications.

-efault securityoptions

By default there is not securitypro$ided for messages when

the client calls happen. Inother words data is sent as

plain te3t.

's WsHttBinding supports W)1

Q it has W)1)ecurity enabledby default. )o the data is not

sent in plain te3t.

)ecurity options

9one

Windows R default

authentication.

Basic

Certificate

9one

Transport.

+essage.

Transport with message

credentials.

8ne of the biggest differences you must ha$e noticed is the security aspect. By

default BasicHttpBinding sends data in plain te3t while WsHttpBinding sends inencrypted and secured manner. To demonstrate the same lets ma#e two ser$ices

one using BasicHttpBinding and the other using WsHttpBinding and then lets see

the security aspect in a more detailed manner.

We will do a small sample to see how BasicHttpBinding sends data in plain te3tformat and how WsHttpBinding encrypts data.

Note :- =y %efault security is not enabled on >=asic?ttp=inding@ forinteroperability purpose4 $n other words it like our old webservice i4e4

#!M84 =ut that does not mean we cannot enable security in


23/34

>=asic?ttp=inding@4 !ometimes back we had a written a article on how toenable security on >=asic?ttp=inding@ WF=asic?ttp=inding4asp6

Can you sho# the security differences $et#een )asic*ttp)indin" ('

Ws*ttp)indin" ?

In order to understand the security differences between both these entities we will

do a small pro


24/34

677 %o avoid disclosing metadata inormation set t5e valuebelo0 to alseandremove t5e metadata endpoint above beore deplo&ment 77/service9etadata 5ttpGet8nabled,"true"3/677 %o receive e-ception details inaults ordebugging purposes set t5evaluebelo0 to true. Set to alsebeore deplo&ment to avoid disclosinge-ception inormation 77/serviceDebug include8-ceptionDetailInFaults,"alse"3/

3be5avior/3servicee5aviors/3be5aviors/

3s&stem.service9odel/

'tep 2 -We also need to create one more ser$ice using WsHttpBinding. or that

you do not need to anything special as such. By default WC pro


25/34

=et-ata function which returns a string. The =et-ata function is a default functioncreated WC pro


26/34

)tep > 1 )o now we are ready with the complete pro


27/34

When should #e use Ws*ttp as co!pared to )asic*ttp ?

If you are loo#ing for bac# ward compatibility and to support lot of clients then basichttp binding is the way to go or else WsHttp is the great way to start if you are

seeing your clients made in .94T G.& and abo$e.

*o# can #e ena$le #indo#s authentication on WCF usin"

+)asic*ttp)indin",?

'tep 1-Create a pro


28/34

'elect thisCircle WCF serice application

By default the WC pro


29/34

'tep 3-The third step is to define the bindings and the transport type. To definethe bindings we need to enter basicHttpBinding element inside the bindings ;+,

tag. We also need to define the clientCredentialType as windows.

Collapse Copy Codes&stem.service9odel/bindings/basicttpinding/binding name,"asicttp8ndpointinding"/securit& mode,"%ransport$redentialnl&"/transport client$redential%&pe,"4indo0s"3/3securit&/3binding/3basicttpinding/3bindings/services/..................3s&stem.service9odel/

'tep 6-9ow the bindings defined needs to be associated with ser$ice interface i.e.

ser$ice0. )o we need to modify the ser$ices elements as shown below. :ou can notethat we ha$e defined a end point which has the binding association.

Collapse Copy Codes&stem.service9odel/........................services/service be5avior$oniguration,"4$F4indo0sasicttpinding.Service1e5avior"

name,"4$F4indo0sasicttpinding.Service1"/endpoint address,""binding,"basicttpinding"binding$oniguration,"asicttp8ndpointinding"name,"asicttp8ndpoint"contract,"4$F4indo0sasicttpinding.IService1"/identit&/dns value,"local5ost"3/3identit&/3endpoint/3service/3services/....................................3s&stem.service9odel/

)o o$er all your Ssystem.ser$ice+odel ;+, part as whole with bindings andser$ices is a shown below.

Collapse Copy Codes&stem.service9odel/bindings/basicttpinding/
http://www.codeproject.com/KB/WCF/WCFFAQPart3.aspx#%23http://www.codeproject.com/KB/WCF/WCFFAQPart3.aspx#%23http://www.codeproject.com/KB/WCF/WCFFAQPart3.aspx#%23http://www.codeproject.com/KB/WCF/WCFFAQPart3.aspx#%23http://www.codeproject.com/KB/WCF/WCFFAQPart3.aspx#%23http://www.codeproject.com/KB/WCF/WCFFAQPart3.aspx#%23


30/34

binding name,"asicttp8ndpointinding"/securit& mode,"%ransport$redentialnl&"/transport client$redential%&pe,"4indo0s"3/3securit&/3binding/3basicttpinding/3bindings/

services/service be5avior$oniguration,"4$F4indo0sasicttpinding.Service1e5avior"name,"4$F4indo0sasicttpinding.Service1"/endpoint address,""binding,"basicttpinding"binding$oniguration,"asicttp8ndpointinding"name,"asicttp8ndpoint"contract,"4$F4indo0sasicttpinding.IService1"/identit&/dns value,"local5ost"3/3identit&/3endpoint/3service/3services/be5aviors/servicee5aviors/be5avior name,"4$F4indo0sasicttpinding.Service1e5avior"/

677 %o avoid disclosing metadata inormation set t5e valuebelo0 to alseandremove t5e metadata endpoint above beore deplo&ment 77/service9etadata 5ttpGet8nabled,"true"3/677 %o receive e-ception details inaults ordebugging purposes set t5evaluebelo0 to true. Set to alsebeore deplo&ment to avoid disclosinge-ception inormation 77/serviceDebug include8-ceptionDetailInFaults,"alse"3/3be5avior/3servicee5aviors/3be5aviors/3s&stem.service9odel/

'tep 8 -=o to II) properties and clic# on security tab and ensure that anonymousaccess is disabled and only windows authentication is enabled.


31/34

'tep 9-We need to host our ser$ice in the II). )o ma#e the directory as an II)application so that your ser$ice can be hosted. 9ow if you try to browse the ser$ice

i.e. the )C file you will see that it pops up the authentication authori5ation security

dialog bo3. )o this ser$ice cannot be e3ecuted with windows authentication.


32/34

'tep :- )o lets consume this WC ser$ices. )o add an ')P.94T webapplication and

do a add webreference. :ou will be popped up with a dialog bo3 as shown below.Clic# on add reference so that a pro3y is generated for the WC ser$ice.


33/34

'tep ;-Type in the following code snippet in your page load. )o add the namespace

reference and call the method =et-ata. The most important step to note is thecredential supplied. -efaultCredentials passes the current windows identity to the

WC ser$ice.

If you e3ecute the ser$ice you should get the following display as shown below.


34/34

Documents

WCF FAQ Part 3.doc