SlideShare una empresa de Scribd logo

Implement Windows Authentication And Security In Wcf Service

Neeraj Kaushik
Neeraj Kaushik
1 de 6
Descargar para leer sin conexión
http://dotnetdlr.com Implement windows authentication and security in WCF Service This is continuation with previous post on “Security in WCF -I”. Here I’ll explain how we can implement windows authentication with transport level security in intranet environment. Windows authentication In intranet environment, client and service are .Net application.Windows authentication is most suitable authentication type in intranet where client credentials stored in windows accounts & groups. Intranet environment address a wide range of business applications. Developers have more controlled in this environment. For Intranet, you can use netTcpBinding,NetNamedPipeBinding and NetMsmqBinding for secure and fast communication. Windows credential is default credential type and transport security is default security mode for these bindings. Protection Level You can set Transport Security protection level through WCF:  None: WCF doesn’t protect message transfer from client to service.  Signed: WCF ensures that message have come only from authenticated caller. WCF checks validity of message by checking Checksum at service side. It provides authenticity of message.  Encrypted & Signed: Message is signed as well as encrypted. It provides integrity, privacy and authenticity of message. Configuration in WCF Service for Windows Authentication Service is hosted on netTcpBinding with credential type windows and protection level as EncryptedAndSigned. var tcpbinding = new NetTcpBinding(SecurityMode.Transport); //Client credential will be used of windows user tcpbinding.Security.Transport.ClientCredentialType = TcpClientCredentialType.Windows; // When configured for EncryptAndSign protection level, WCF both signs the message and encrypts //its content. The Encrypted and Signed protection level provides integrity, 1
http://dotnetdlr.com //privacy, and authenticity. tcpbinding.Security.Transport.ProtectionLevel = System.Net.Security.ProtectionLevel.EncryptAndSign; Client credential type can be set by TcpClientCredentialType enum. public enum TcpClientCredentialType { None, Windows, Certificate } Protection level can be set by ProtectionLevel enum. // Summary: // Indicates the security services requested for an authenticated stream. public enum ProtectionLevel { // Summary: // Authentication only. None = 0, // // Summary: // Sign data to help ensure the integrity of transmitted data. Sign = 1, // // Summary: // Encrypt and sign data to help ensure the confidentiality and integrity of // transmitted data. EncryptAndSign = 2, } WCF Service Code Service Host class Program { static void Main(string[] args) { Uri baseAddress = new Uri("http://localhost:8045/MarketService"); using (var productHost = new ServiceHost(typeof(MarketDataProvider))) { var tcpbinding = new NetTcpBinding(SecurityMode.Transport); //Client credential will be used of windows user tcpbinding.Security.Transport.ClientCredentialType = TcpClientCredentialType.Windows; // When configured for EncryptAndSign protection level, WCF both signs the message and encrypts //its content. The Encrypted and Signed protection level provides integrity, //privacy, and authenticity. 2
http://dotnetdlr.com tcpbinding.Security.Transport.ProtectionLevel = System.Net.Security.ProtectionLevel.EncryptAndSign; ServiceEndpoint productEndpoint = productHost. AddServiceEndpoint(typeof(IMarketDataProvider), tcpbinding, "net.tcp://localhost:8000/MarketService"); ServiceEndpoint producthttpEndpoint = productHost.AddServiceEndpoint( typeof(IMarketDataProvider), new BasicHttpBinding(), "http://localhost:8045/MarketService"); productHost.Open(); Console.WriteLine("The Market service is running and is listening on:"); Console.WriteLine("{0} ({1})", productEndpoint.Address.ToString(), productEndpoint.Binding.Name); Console.WriteLine("{0} ({1})", producthttpEndpoint.Address.ToString(), producthttpEndpoint.Binding.Name); Console.WriteLine("nPress any key to stop the service."); Console.ReadKey(); } } } Alternatively, you can configure the binding using a config file: <bindings> <netTcpBinding> <binding name = "TCPWindowsSecurity"> <security mode = "Transport"> <transport clientCredentialType = "Windows" protectionLevel = "EncryptAndSign" /> </security> </binding> </netTcpBinding> </bindings> Run WCF Service 3
http://dotnetdlr.com Client Application static void Main(string[] args) { try { Console.WriteLine("Connecting to Service.."); var proxy = new ServiceClient(new NetTcpBinding(), new EndpointAddress("net.tcp://localhost:8000/MarketService")); Console.WriteLine("MSFT Price:{0}", proxy.GetMarketPrice("MSFT.NSE")); Console.WriteLine("Getting price for Google"); double price = proxy.GetMarketPrice("GOOG.NASDAQ"); } catch (FaultException ex) { Console.WriteLine("Service Error:" + ex.Detail.ValidationError); } catch (Exception ex) { Console.WriteLine("Service Error:" + ex.Message); } Console.ReadLine(); } ServiceClient is custom class which inherits ClientBase<T> class in System.ServiceModel namespace to create channels and communication with service on endpoints. public class ServiceClient : ClientBase, IMarketDataProvider { public ServiceClient() { } public ServiceClient(string endpointConfigurationName) : base(endpointConfigurationName) { } public ServiceClient(string endpointConfigurationName, string remoteAddress) : base(endpointConfigurationName, remoteAddress) { } public ServiceClient(string endpointConfigurationName, System.ServiceModel.EndpointAddress remoteAddress) : base(endpointConfigurationName, remoteAddress) { } 4
http://dotnetdlr.com public ServiceClient(System.ServiceModel.Channels.Binding binding, System.ServiceModel.EndpointAddress remoteAddress) : base(binding, remoteAddress) {} /// /// IMarketDataProvider method /// /// /// public double GetMarketPrice(string symbol) { return base.Channel.GetMarketPrice(symbol); } } Verify User credentials in Service You can see caller information in WCF service by ServiceSecurityContext class. Every operation on a secured WCF service has a security call context. The security call context is represented by the class ServiceSecurityContext.The main use for the security call context is for custom security mechanisms, as well as analysis and auditing. ServiceSecurityContext.Current in Quickwatch window. Send Alternate Windows credentials to Service WCF also give option to send alternate windows credential from client. By default it send logged in user credential. You can send alternate credential like below proxy.ClientCredentials.Windows.ClientCredential.Domain = "mydomain"; proxy.ClientCredentials.Windows.ClientCredential.UserName = "ABC"; proxy.ClientCredentials.Windows.ClientCredential.Password = "pwd"; 5
http://dotnetdlr.com Now If I run client application with changed credentials, if credentials are of valid windows user, service will authenticate caller else it will reject caller request. In my case I deliberately gives wrong credential to produce reject exception. Service sends “System.Security.Authentication.InvalidCredentialException with message "The server has rejected the client credentials.” I hope you understood windows authentication concept here. If you have any question please feel free to send me comments. 6

Recomendados

Concurrent Collections Object In Dot Net 4
Concurrent Collections Object In Dot Net 4Concurrent Collections Object In Dot Net 4
Concurrent Collections Object In Dot Net 4
Neeraj Kaushik
 
Multithreading Presentation
Multithreading PresentationMultithreading Presentation
Multithreading Presentation
Neeraj Kaushik
 
How to place orders through FIX Message
How to place orders through FIX MessageHow to place orders through FIX Message
How to place orders through FIX Message
Neeraj Kaushik
 
Futures_Options
Futures_OptionsFutures_Options
Futures_Options
Neeraj Kaushik
 
No sql
No sqlNo sql
No sql
Neeraj Kaushik
 
Implementation of fix messages for fix 5.0 sp2 and fixt1.1 specification
Implementation of fix messages for fix 5.0 sp2 and fixt1.1 specificationImplementation of fix messages for fix 5.0 sp2 and fixt1.1 specification
Implementation of fix messages for fix 5.0 sp2 and fixt1.1 specification
Neeraj Kaushik
 
C-Sharp Arithmatic Expression Calculator
C-Sharp Arithmatic Expression CalculatorC-Sharp Arithmatic Expression Calculator
C-Sharp Arithmatic Expression Calculator
Neeraj Kaushik
 
Implement Search Screen Using Knockoutjs
Implement Search Screen Using KnockoutjsImplement Search Screen Using Knockoutjs
Implement Search Screen Using Knockoutjs
Neeraj Kaushik
 

Recomendados

Concurrent Collections Object In Dot Net 4
Concurrent Collections Object In Dot Net 4Concurrent Collections Object In Dot Net 4
Concurrent Collections Object In Dot Net 4
Neeraj Kaushik
 
Multithreading Presentation
Multithreading PresentationMultithreading Presentation
Multithreading Presentation
Neeraj Kaushik
 
How to place orders through FIX Message
How to place orders through FIX MessageHow to place orders through FIX Message
How to place orders through FIX Message
Neeraj Kaushik
 
Futures_Options
Futures_OptionsFutures_Options
Futures_Options
Neeraj Kaushik
 
No sql
No sqlNo sql
No sql
Neeraj Kaushik
 
Implementation of fix messages for fix 5.0 sp2 and fixt1.1 specification
Implementation of fix messages for fix 5.0 sp2 and fixt1.1 specificationImplementation of fix messages for fix 5.0 sp2 and fixt1.1 specification
Implementation of fix messages for fix 5.0 sp2 and fixt1.1 specification
Neeraj Kaushik
 
C-Sharp Arithmatic Expression Calculator
C-Sharp Arithmatic Expression CalculatorC-Sharp Arithmatic Expression Calculator
C-Sharp Arithmatic Expression Calculator
Neeraj Kaushik
 
Implement Search Screen Using Knockoutjs
Implement Search Screen Using KnockoutjsImplement Search Screen Using Knockoutjs
Implement Search Screen Using Knockoutjs
Neeraj Kaushik
 
Linq Introduction
Linq IntroductionLinq Introduction
Linq Introduction
Neeraj Kaushik
 
Parallel Programming With Dot Net
Parallel Programming With Dot NetParallel Programming With Dot Net
Parallel Programming With Dot Net
Neeraj Kaushik
 
Quick Fix Sample
Quick Fix SampleQuick Fix Sample
Quick Fix Sample
Neeraj Kaushik
 
DotNet &amp; Sql Server Interview Questions
DotNet &amp; Sql Server Interview QuestionsDotNet &amp; Sql Server Interview Questions
DotNet &amp; Sql Server Interview Questions
Neeraj Kaushik
 
Design UML diagrams
Design UML diagramsDesign UML diagrams
Design UML diagrams
Neeraj Kaushik
 
Design UML diagrams
Design UML diagramsDesign UML diagrams
Design UML diagrams
Neeraj Kaushik
 

Más contenido relacionado

Más de Neeraj Kaushik

Más de Neeraj Kaushik (6)

Linq Introduction
Linq IntroductionLinq Introduction
Linq Introduction
 
Parallel Programming With Dot Net
Parallel Programming With Dot NetParallel Programming With Dot Net
Parallel Programming With Dot Net
 
Quick Fix Sample
Quick Fix SampleQuick Fix Sample
Quick Fix Sample
 
DotNet &amp; Sql Server Interview Questions
DotNet &amp; Sql Server Interview QuestionsDotNet &amp; Sql Server Interview Questions
DotNet &amp; Sql Server Interview Questions
 
Design UML diagrams
Design UML diagramsDesign UML diagrams
Design UML diagrams
 
Design UML diagrams
Design UML diagramsDesign UML diagrams
Design UML diagrams
 

Implement Windows Authentication And Security In Wcf Service

  • 1. http://dotnetdlr.com Implement windows authentication and security in WCF Service This is continuation with previous post on “Security in WCF -I”. Here I’ll explain how we can implement windows authentication with transport level security in intranet environment. Windows authentication In intranet environment, client and service are .Net application.Windows authentication is most suitable authentication type in intranet where client credentials stored in windows accounts & groups. Intranet environment address a wide range of business applications. Developers have more controlled in this environment. For Intranet, you can use netTcpBinding,NetNamedPipeBinding and NetMsmqBinding for secure and fast communication. Windows credential is default credential type and transport security is default security mode for these bindings. Protection Level You can set Transport Security protection level through WCF:  None: WCF doesn’t protect message transfer from client to service.  Signed: WCF ensures that message have come only from authenticated caller. WCF checks validity of message by checking Checksum at service side. It provides authenticity of message.  Encrypted & Signed: Message is signed as well as encrypted. It provides integrity, privacy and authenticity of message. Configuration in WCF Service for Windows Authentication Service is hosted on netTcpBinding with credential type windows and protection level as EncryptedAndSigned. var tcpbinding = new NetTcpBinding(SecurityMode.Transport); //Client credential will be used of windows user tcpbinding.Security.Transport.ClientCredentialType = TcpClientCredentialType.Windows; // When configured for EncryptAndSign protection level, WCF both signs the message and encrypts //its content. The Encrypted and Signed protection level provides integrity, 1
  • 2. http://dotnetdlr.com //privacy, and authenticity. tcpbinding.Security.Transport.ProtectionLevel = System.Net.Security.ProtectionLevel.EncryptAndSign; Client credential type can be set by TcpClientCredentialType enum. public enum TcpClientCredentialType { None, Windows, Certificate } Protection level can be set by ProtectionLevel enum. // Summary: // Indicates the security services requested for an authenticated stream. public enum ProtectionLevel { // Summary: // Authentication only. None = 0, // // Summary: // Sign data to help ensure the integrity of transmitted data. Sign = 1, // // Summary: // Encrypt and sign data to help ensure the confidentiality and integrity of // transmitted data. EncryptAndSign = 2, } WCF Service Code Service Host class Program { static void Main(string[] args) { Uri baseAddress = new Uri("http://localhost:8045/MarketService"); using (var productHost = new ServiceHost(typeof(MarketDataProvider))) { var tcpbinding = new NetTcpBinding(SecurityMode.Transport); //Client credential will be used of windows user tcpbinding.Security.Transport.ClientCredentialType = TcpClientCredentialType.Windows; // When configured for EncryptAndSign protection level, WCF both signs the message and encrypts //its content. The Encrypted and Signed protection level provides integrity, //privacy, and authenticity. 2
  • 3. http://dotnetdlr.com tcpbinding.Security.Transport.ProtectionLevel = System.Net.Security.ProtectionLevel.EncryptAndSign; ServiceEndpoint productEndpoint = productHost. AddServiceEndpoint(typeof(IMarketDataProvider), tcpbinding, "net.tcp://localhost:8000/MarketService"); ServiceEndpoint producthttpEndpoint = productHost.AddServiceEndpoint( typeof(IMarketDataProvider), new BasicHttpBinding(), "http://localhost:8045/MarketService"); productHost.Open(); Console.WriteLine("The Market service is running and is listening on:"); Console.WriteLine("{0} ({1})", productEndpoint.Address.ToString(), productEndpoint.Binding.Name); Console.WriteLine("{0} ({1})", producthttpEndpoint.Address.ToString(), producthttpEndpoint.Binding.Name); Console.WriteLine("nPress any key to stop the service."); Console.ReadKey(); } } } Alternatively, you can configure the binding using a config file: <bindings> <netTcpBinding> <binding name = "TCPWindowsSecurity"> <security mode = "Transport"> <transport clientCredentialType = "Windows" protectionLevel = "EncryptAndSign" /> </security> </binding> </netTcpBinding> </bindings> Run WCF Service 3
  • 4. http://dotnetdlr.com Client Application static void Main(string[] args) { try { Console.WriteLine("Connecting to Service.."); var proxy = new ServiceClient(new NetTcpBinding(), new EndpointAddress("net.tcp://localhost:8000/MarketService")); Console.WriteLine("MSFT Price:{0}", proxy.GetMarketPrice("MSFT.NSE")); Console.WriteLine("Getting price for Google"); double price = proxy.GetMarketPrice("GOOG.NASDAQ"); } catch (FaultException ex) { Console.WriteLine("Service Error:" + ex.Detail.ValidationError); } catch (Exception ex) { Console.WriteLine("Service Error:" + ex.Message); } Console.ReadLine(); } ServiceClient is custom class which inherits ClientBase<T> class in System.ServiceModel namespace to create channels and communication with service on endpoints. public class ServiceClient : ClientBase, IMarketDataProvider { public ServiceClient() { } public ServiceClient(string endpointConfigurationName) : base(endpointConfigurationName) { } public ServiceClient(string endpointConfigurationName, string remoteAddress) : base(endpointConfigurationName, remoteAddress) { } public ServiceClient(string endpointConfigurationName, System.ServiceModel.EndpointAddress remoteAddress) : base(endpointConfigurationName, remoteAddress) { } 4
  • 5. http://dotnetdlr.com public ServiceClient(System.ServiceModel.Channels.Binding binding, System.ServiceModel.EndpointAddress remoteAddress) : base(binding, remoteAddress) {} /// /// IMarketDataProvider method /// /// /// public double GetMarketPrice(string symbol) { return base.Channel.GetMarketPrice(symbol); } } Verify User credentials in Service You can see caller information in WCF service by ServiceSecurityContext class. Every operation on a secured WCF service has a security call context. The security call context is represented by the class ServiceSecurityContext.The main use for the security call context is for custom security mechanisms, as well as analysis and auditing. ServiceSecurityContext.Current in Quickwatch window. Send Alternate Windows credentials to Service WCF also give option to send alternate windows credential from client. By default it send logged in user credential. You can send alternate credential like below proxy.ClientCredentials.Windows.ClientCredential.Domain = "mydomain"; proxy.ClientCredentials.Windows.ClientCredential.UserName = "ABC"; proxy.ClientCredentials.Windows.ClientCredential.Password = "pwd"; 5
  • 6. http://dotnetdlr.com Now If I run client application with changed credentials, if credentials are of valid windows user, service will authenticate caller else it will reject caller request. In my case I deliberately gives wrong credential to produce reject exception. Service sends “System.Security.Authentication.InvalidCredentialException with message "The server has rejected the client credentials.” I hope you understood windows authentication concept here. If you have any question please feel free to send me comments. 6