Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

WCF: Authentication Service or token-based security?

Tags:

rest

c#

wcf

dynamics-crm-2011

There's a Dynamic CRM instance on a server ("on-premises"). It will be used by a few sites that run on distant machines (another domain, another Active Directory). The communication between those sites and the CRM instance is done via a CRM proxy, a WCF service that sits near it (near CRM), handles requests, queries CRM etc.

That WCF service is facing the Internet. Although secured communication channels aren't that necessary, authentication is. We cannot let random clients to use the services provided by the CRM proxy.

So, Authentication Service (cookies?) / hand-coded token passing (as a parameter for each service operation) / this solution - on stackoverflow.

Thank you in advance!

PS: hand-coded tokens would be "time-sensitive" and hashed a few times with some secret keys. Man-in-the-middle might not be such a big problem, as a token can be invalidated after a request.

like image 243
turdus-merula Avatar asked Jul 05 '12 17:07

turdus-merula

1 Answers

Hand-coded token passing is not very elegant. It pollutes your method signatures and makes you duplicates checks all over the place.

If you are able to distribute credentials to your service clients, or pass in credentials that they already use for your system, then I suggest using message security with a custom username & password validator.

The steps to implement it are simple enough. You only need to implement a UserNamePasswordValidator:

A short configuration summary from the linked article:

Specify the security mode in your binding:

<security mode="Message">
    <message clientCredentialType="UserName"/>
</security>

In your service behavior add:

<serviceCredentials>
    <userNameAuthentication 
        userNamePasswordValidationMode="Custom" 
        customUserNamePasswordValidatorType="YourFullUserNameValidatorType"/>
</serviceCredentials>

Then clients just need to set their credentials directly on the service proxies. So they're not passed in service operations. 

serviceClient.ClientCredentials.UserName.UserName = "username";
serviceClient.ClientCredentials.UserName.Password = "password";

Your UserNamePasswordValidator will get these credential for each service operation call and you will have the chance to validate them against your credentials store.

However, for more security, you could look into certificate authentication. It's more reliable and you are not required to buy a cert from a CA. If you can also setup yourself as a CA on the client computers, then your good to go. It's appropriate especially because you only have a few clients, so they would be easy to manage.

like image 107
Marcel N. Avatar answered Oct 23 '22 05:10

Marcel N.
Sign in to Comment

Related questions

Dynamically Generate simple Views from ViewModels in WPF?
C# generics & not going insane
How To Create lParam Of SendMessage WM_KEYDOWN
How to properly override equality?
Custom Error message with HTTPStatusCodeResult & jQuery
Use local images in Webbrowser control
How do I send parameters using MonoTouch.ObjCRuntime.Selector and Perform Selector
How to use a ContextMenu UserControl in WPF?
Inserting a List<> into SQL Server table
How to create folder in Google Drive using .NET API?
first blank row in excel
Configuration SearchPattern in EnumerateFiles
How can i get the MethodInfo of the controller action that will get called given a request?
What is the name of the backtick (`) key in the XNA Keys enumeration?
Retrieve Current Email Body In Outlook
@Html.ActionLink in ASP.NET MVC 3
Performance optimization of for-loop / switch-statement
How to change combobox particular item color dynamically in wpf
How do I merge all the cases into One?
How do I determine the underlying type of an array [duplicate]

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!