Thursday, December 8, 2011

WCF Security overview

WCF framework is so huge that you can easily get lost. I spent many hours to figure out how it works and I thought that I might share my conclusions.There are 2 major types of security modes in WCF and o variation of those two:
Message level security - the default one
-the message is encrypted from end to end
Transport level security
-the communication channel is encrypted using ssl over http (https)
-it's a variation of the other two types. It provides both channel and message encryption.For HTTP, the mechanism is Secure Sockets Layer (SSL) over HTTP (HTTPS); for TCP, it is SSL over TCP or Windows.

Here is a  good article about securing services.
I will now make few step by step demos of combined security and authentication practices in WCF.

The firs one is using Basic Authentication in WCF using  TransportCredentialOnly security mode. Note that it does not provide message integrity or confidentiality. Basic authentication works well in scenarios where you want to provide access to some people inside a company for example.

In the first part we will create the service with the needed configuration and host it on iis. The next ting we will create a basic(Console) client to consume our service. 

Part I - Creating the service

Step 1. Create a new WCF Service Application
I named my "WcfBasic"

 Step 2. Create a binding

 I choose to create a basic http binding , nothing very special. Here is the element.
      <binding name="SecurityBinding"> 
        <security mode="TransportCredentialOnly">
           <transport clientCredentialType="Basic"></transport>
        </security>      </binding>    </basicHttpBinding>

Now we have to put this element in the configuration file inside  the  bindings element.
Note: if you don' have <bindings> element just create it

Step 3. Add the service and end point elements.

You must add the following element in the <services> tag in the configuration file. If there is no <services> element just create one.

    <service name="WcfSecurity.SecurityService">
        <endpoint address=""
                            binding="basicHttpBinding"                                                                                                             bindingConfiguration="SecurityBinding"
                            name="BasicHttpEndpoint"                                                                                                             contract="WcfSecurity.ISecurityService">  

Save now the changes, build your project and let's try to open it in a browser.
Right click on Service1.svc -> View in Browser. You should get this error:
Security settings for this service require 'Basic' Authentication but it is not enabled for the IIS application that hosts this service. 

That's because we haven't enabled yet basic authentication for our service.

Step 4. Host the service on iis and enable basic authentication

First we have to publish the service on iis. For this you have to right click on the WcfBassic project and click Publish

It will appear a popup where we have to set up the virtual directory and other things.
Service Url: localhost
Site/application: Default Web Site/WcfBasic (here you can add other name if you like)
Check 'Mark as IIS application on destination'
Click Publish
Note: solve and build errors before publishing, otherwise the publish will fail!

After the publish is succeeded, open your IIS manager and let's enable the basic authentication. 

Step 5. Enable basic authentication in iis

Locate your application under Sites/Default Web Site. In the Features view, locate and double click the Authentication icon.

In the screen that will show we have to do 2 things: enable basic authentication, disable any other authentication type. You can use enable/disable button from the right Actions pane. It should look like this.

Now switch to 'Content View', click on Service1.svc and in the Actions pane click Browse.

And voilĂ ! You are prompted to enter your credentials. Now you would ask but what credentials? Their are just the ones you use to log on to the machine.

If you enter the good credentials you will be directed to the service page.

Otherwise you will get unauthorized error.

That was the hard part. What's left now is to create a client to consume the service.

Part II. Creating the client to consume the service

Step 1. Create a new console application in the solution

Step 2. Add service reference.

Remember that our service is now hosted on iis. So in order to add the reference, expand the console project and right click References -> Add Service Reference. It will show up a popup where we have to enter the service url which should something like: 'http://localhost/WcfBasicAuth/Service1.svc'

When you press Ok, you will be prompted for your credentials, and you will receive a warning.

This is the request credentials pop up.

Enter your credentials and press ok. The service reference is added to your application.

Step 3. Instantiate the service and call method

The last thing to do now is to instantiate the service, set the ClientCredentials and call the method. The credentials are your logon credentials.

Note: before you can test it, you must set the console application as start project.Right click on the console project -> Set as startup project.

And here is the result if your credentials are good:

Let me know what you think. Stay close for more step by step demos using transport security mode (https with ssl certificate), custom user name and password, Authentication Service in WCF.

Download code


Post a Comment