While we talk about security following terms play important role.
Authentication : Process of validating/identifying the sender and recipient of the message.
Authorization : Process of determining the rights of authenticated user.
Confidentiality : Process of ensuring that only the intended recipient of the message can view the message.this can be achieved by encrypting the message.
Integrity : Ensuring that the message is not tampered by a malicious user as it is being transmitted from sender to receiver.we can achieve this by signing the message.
By default all the bindings provide above security features except basicHttpBinding.
Following security modes can be used with WCF service.
Transport Security : Securing the transport channel is called transport security. each of the protocol (Http,TCP, MSMQ etc.) have their own way of providing transport security.
For example, TCP provides transport security, by implementing TLS (Transport Layer Security). The TLS implementation is provided by the operating system.
HTTP provides transport security by using SSL(Secure Socket Layer) over http.
Transport security provides only point-to-point channel security.it means if there is an intermediary (Load balancer, proxy etc.) between, then the intermediary has direct access to content of message.
Message Security : Securing the message itself by encapsulating the security credential with every SOAP message is called message security. as the message itself is protected if provides end to end security.
Mixed transfer security mode : It uses Transport security for message integrity, privacy and service authentication and it uses Message security mode for securing client credential.
One of the disadvantage of the mixed mode is that it will secure only point-to-point as nature of Transport security.
Both security modes: This mode Both transfer security mode uses both Transport security and Message security..
Default security mode in wsHttpBinding is Message Security mode.(encryption and signing of message aromatically attached)
Please refer following table for supported and default security mode of different bindings.
| Name | None | Transport | Message | Mixed | Both |
|---|---|---|---|---|---|
| BasicHttpBinding | Yes(default) | Yes | Yes | Yes | No |
| NetTcpBinding | Yes | Yes(default) | Yes | Yes | No |
| NetNamedPipeBinding | Yes | Yes(default) | No | No | No |
| WsHttpBinding | Yes | Yes | Yes(default) | Yes | No |
| WsDualHttpBinding | Yes | No | Yes(default) | No | No |
| NetMsmqHttpBinding | Yes | Yes | Yes(default) | No | Yes |
Following is the SOAP body if security mode is message.Message is both encrypted and signed.
<s:Body u:Id="_0">
<e:EncryptedData Id="_1" Type="http://www.w3.org/2001/04/xmlenc#Content" xmlns:e="http://www.w3.org/2001/04/xmlenc#">
<e:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc"></e:EncryptionMethod>
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<o:SecurityTokenReference xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<o:Reference ValueType="http://schemas.xmlsoap.org/ws/2005/02/sc/dk" URI="#uuid-3c8a7bb8-acd0-4bbb-8abe-1ea4a214254b-96"></o:Reference>
</o:SecurityTokenReference>
</KeyInfo>
<e:CipherData>
<e:CipherValue>yAMmq3Dv28ukYopUIObISQ3YLRap/o7s77aZPA5UWGcRPmvCxEmDuApNOjPxO+7cMCh7KTYRqovSCg5XFgsnfli6zVhIRXBX76Uh7etSJqyu3M/xs6hTwKXr/W5qIvN0r491vnJnSeiSXkAWpWrJQ/hswZm46tKIVPi9/Uq4hyCnUMQ86Kzg7eP3jxu+6JLj/EPEdjutKNgsL8crv6T2dC9MZBmSo1HgfkTYq/JYBP4=</e:CipherValue>
</e:CipherData>
</e:EncryptedData>
</s:Body>
If we change security mode from default(that is message in wsHttpBinding) to None
<wsHttpBinding>
<binding name="wsHttp">
<security mode="None"></security>
</binding>
</wsHttpBinding>
After changing security mode, SOAP body will be as follows.
<s:Body>
<HelloMessageResponse xmlns="http://tempuri.org/">
<HelloMessageResult>HelloRahul!!</HelloMessageResult>
</HelloMessageResponse>
</s:Body>
We can customize the level of protection using ProtectionLevel attribute .
None : No protection.Message is not encrypted and not signed.
Sign : No encryption but is digitally signed to ensure the integrity of message.
EncryptAndSign : Message is encrypted and then signed to ensure confidentiality and integrity of message.
Following 6 attributes has the ProtectionLevel named parameter.They are specified in the order of precedence.
[ServiceContract]
[OperationContract]
[FaultContract]
[MessageContract]
[MessageHeader]
[MessageBodyMember]
Note : If we use binding that by default does not support security like basicHttpBinding and we use Protection level other than None, at run time we will get error.
Note : If we use binding that by default does not support security like basicHttpBinding and we use Protection level other than None, at run time we will get error.
Related Post :
Message-exchange-pattern-in-wcf
Different-option-of-hosting-wcf-service
Binding-in-wcf-choosing-right-wcf-service
Hosting WCF with Non-Http protocol
Exchanging-metadata-in-wcf
Some-interesting-facts-about-data-contract
Knowntype-attribute-in-wcf
Associating-knowntype-in-wcf
Message-contract-in-wcf
Exception-handling-in-wcf
()- Exception Handling in WCF - SOAP Fault in WCF
()- Exception Handling in WCF - Unhandled Exception in WCF
()- Exception Handling in WCF - Creating and Throwing Strongly Typed SOAP FaultInstance-context-mode-in-wcf
()- PerCall-instance-context-mode-in-wcf
Message-exchange-pattern-in-wcf
Different-option-of-hosting-wcf-service
Binding-in-wcf-choosing-right-wcf-service
Hosting WCF with Non-Http protocol
Exchanging-metadata-in-wcf
Some-interesting-facts-about-data-contract
Knowntype-attribute-in-wcf
Associating-knowntype-in-wcf
Message-contract-in-wcf
Exception-handling-in-wcf
()- Exception Handling in WCF - SOAP Fault in WCF
()- Exception Handling in WCF - Unhandled Exception in WCF
()- Exception Handling in WCF - Creating and Throwing Strongly Typed SOAP FaultInstance-context-mode-in-wcf
()- PerCall-instance-context-mode-in-wcf
No comments:
Post a Comment