Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

How to configure security when calling WCF Service from .Net 2.0 Client

Tags:

security

wcf

.net-2.0

I have a WCF service up and running and am able to communicate between the service and a .Net 2.0 Client using basicHttpBinding.

I now need to lock down the WCF service so that it can only be called by authenticated clients.

I have control over the clients that will be calling my service. The clients are part of a product that will be installed in the wild and "phoning home" to push and pull data. The client app is written for .Net 2.0 framework and cannot be upgraded to 3.0 or 3.5 at this time. I cannot add windows user accounts to the client machines.

What are my options for securing the WCF Service and being able to authenticate from my .Net 2.0 clients? Also, data needs to be passed over https.

I've been searching the web, and feel like I'm on a wild goose chase.

like image 607
JasonS Avatar asked Oct 24 '08 04:10

JasonS

People also ask

How do I provide security to WCF?

To secure an application that runs exclusively on a Windows domain, you can use the default security settings of either the WSHttpBinding or the NetTcpBinding binding. By default, anyone on the same Windows domain can access WCF services. Because those users have logged on to the network, they are trusted.

What is security implementation in WCF How many are there?

A WCF service boasts of a robust security system with two security modes or levels so that only an intended client can access the services.

What is WCF security?

Windows Communication Foundation (WCF) is a SOAP message-based distributed programming platform, and securing messages between clients and services is essential to protecting data.

1 Answers

You can configure a WCF endpoint to use 2-way SSL authentication. That means that you can require clients to present an X.509 certificate that confirms their identity whenever they make a request to the service.

On the server side of things, you can use one of the built-in validation schemes in WCF or provide your own validation logic to check the X.509 certificate.
If you were hosting your service in IIS, it would be trivial to configure SSL to require client certificates at the transport-level. However, you can find a good guide on how to implement this behaviour in a self-hosted WCF service here:

http://leastprivilege.com/2007/08/25/certificate-based-authentication-and-wcf-message-security/

I haven't tried this myself but, since this creates a security requirement at the message-level, I think you will have to use wsHttpBinding to enforce it in your WSDL contract, since imposing security requirements to access a web service is part of the WS-* standards.

If you have to use basicHttpBinding, you can try this solution instead that moves things up at the transport-level:

http://leastprivilege.com/2007/08/26/certificate-based-authentication-and-wcf-mode-independent/

Hope this helps

like image 92
Enrico Campidoglio Avatar answered Sep 22 '22 06:09

Enrico Campidoglio
Sign in to Comment

Related questions

How does Concurrency work in WCF?
XML differences between WCF and Python SUDS for inheritance?
The specified cast from a materialized 'System.Guid' type to the 'System.Int32' type is not valid
How to use custom binding in WCF and keep message security mode with username client credentials?
Configuration evaluation context not found warning on WCF trace
VS Crashing after 'Set As StartUp Project'
Wcf System.InsufficientMemoryException. Failed to allocate a managed memory buffer of 536870912 bytes
The HTTP request was forbidden with client authentication scheme 'Anonymous'
In Message.CreateMessage, what is the meaning of the "action" parameter?
RIA Services versus WCF Services
Is the DataMember IsRequired attribute in combination with a Nullable type contradictory?
Are there any constants in the .NET framework for the different web method types (GET, PUT, POST, DELETE, HEAD)?
NHibernate session management in WCF application
Why do I get System.InvalidOperationException back from a WSDL call but not from the same call to another service?
WCF Service - certificates and message security with UserName authentication
Return Stream from WCF service, using SqlFileStream
Building a dynamic expression tree to filter on a collection property
System.Net.WebException: The request was aborted: the request was cancelled
How do I restrict access to some methods in WCF?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!