Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

WCF net.tcp bindings, message formats and security questions

sorry for the stupid questions but there are just some things about WCF I cant get my head around. Would be greatful for some advice on the following....

  • At a very basic level is it correct that WCF uses either Binary (Net.Tcp), HTTP or MSMQ to transfer my message on the wire?

  • However is it true that in all cases, regardless of how the data is transferred the message itself in in the SOAP format with headers and a body? So its a sort of XML message that is transmitted in either HTTP/S or in a binary format.

  • Is Net.Tcp a good choice for my client server app - its similar to a messenger app in that the clients are all remote users on the other side of the firewall to my server. Most things I am reading are telling to use WS* and HTTP.

  • Is Net.Tcp secured by standard and without certificates? - that is - people cannot listen on the wire and decode the data thats going to and from.

  • Is it possible to send a username and password using net.tcp and without an installed certificate?

  • If so I presume I can hook this up to my membership provider and authenticate access to each method on my service contract implementation.

  • I presume that with username and password security, the proxy is initialised with the username and password and that this information is is sent with every request.

  • Then my membership provider will be invoked for each method call and do whatever it needs to do to get the authorisation for the method.

Sorry for the dump of questions but would be great to know if Im thinking the right way about how WCF works.

Thanks.

like image 561
Remotec Avatar asked Dec 02 '22 06:12

Remotec


1 Answers

At a very basic level is it correct that WCF uses either Binary (Net.Tcp), HTTP or MSMQ to transfer my message on the wire?

You're confusing the transport layer with the serialisation mechanism. WCF transports options are TCP, Named Pipes, HTTP and MSMQ. WCF serialisation options are binary, Text (which includes SOAP, POX and JSON), and MTOM.

However is it true that in all cases, regardless of how the data is transferred the message itself in in the SOAP format with headers and a body? So its a sort of XML message that is transmitted in either HTTP/S or in a binary format.

No. WCF uses the Message class as the atomic unit for communications. It is SOAP like in structure but it's not a serialisation format like SOAP.

Is Net.Tcp a good choice for my client server app - its similar to a messenger app in that the clients are all remote users on the other side of the firewall to my server. Most things I am reading are telling to use WS* and HTTP.

Sounds like TCP would not be a good choice. Firewalls could make TCP difficult for you unless you are able to operate your server on port 80 or 443. From my own personal experience I'd also recommend against using WCF with a TCP binding in internet deployments. When a TCP connection is lost WCF makes you jump through a lot of hoops to catch and re-establish it. HTTP bindings are a lot easier to manage.

Is Net.Tcp secured by standard and without certificates? - that is - people cannot listen on the wire and decode the data thats going to and from.

The NetTCP binding is secured by default with TLS.

Is it possible to send a username and password using net.tcp and without an installed certificate?

You can use a pre-installed cerificate for authentication with the TCP binding. You can also add a username and password to your Message headers but that's a separate thing.

If so I presume I can hook this up to my membership provider and authenticate access to each method on my service contract implementation.

You can extract the Message headers using the OperationContext and extract whatever information you like and use it with your authentication provider.

I presume that with username and password security, the proxy is initialised with the username and password and that this information is is sent with every request.

and

Then my membership provider will be invoked for each method call and do whatever it needs to do to get the authorisation for the method.

It sounds like you want to take a look at How to: Use the ASP.NET Membership Provider.

like image 54
sipsorcery Avatar answered Dec 04 '22 15:12

sipsorcery