locked
Securing WCF service exposed on the Internet RRS feed

 > 

  • Question

  • Question
    Sign in to vote
    0
    Sign in to vote
    User768014394 posted

    I have a WCF service using WS2007HttpBinding hosted on a web server in the DMZ and I need to call it from a server within our network behind our firewall.  I need to be able to secure communications so that the service can only be accessed by clients with the proper credentials.  It has been suggested that a username/password be provided and I authenticate based on that.  In order to keep things simple, I don't plan on keeping the credentials in a database or some other store.  I was thinking of perhaps storing them in the web.config of the service.

    What option is recommended?  Will SSL be needed for this?  I've been trying to set the ClientCredentials on the client for the service but they do not appear to be coming through.  I am currently running the client and service on the same machine and on the service side, when I use ServiceSecurityContext.Current.PrimaryIdentity or Thread.CurrentPrincipal.Identity.Name, I get my user name which is not what I was expecting.  I am setting the client credentials like this:

    client.ClientCredentials.UserName.UserName = "...";
client.ClientCredentials.UserName.Password = "...";

    Here is the binding info in the web.config of the service:

    <ws2007HttpBinding>
	<binding name="WS2007HttpBinding_ICustomerThemeService"
			closeTimeout="00:01:00"
			openTimeout="00:01:00"
			receiveTimeout="00:10:00"
			sendTimeout="00:01:00"
			bypassProxyOnLocal="false"
			transactionFlow="false"
			hostNameComparisonMode="StrongWildcard"
			maxBufferPoolSize="524288"
			maxReceivedMessageSize="65536"
			messageEncoding="Text"
			textEncoding="utf-8"
			useDefaultWebProxy="true"
			allowCookies="false">
		<readerQuotas maxDepth="32"
				maxStringContentLength="8192"
				maxBytesPerRead="4096"
				maxNameTableCharCount="16384" />
		<reliableSession ordered="true" inactivityTimeout="00:10:00" enabled="false" />
		<security mode="Message">
			<transport clientCredentialType="Windows" proxyCredentialType="None" realm="" />
			<message clientCredentialType="Windows" negotiateServiceCredential="true" algorithmSuite="Default" />
		</security>
	</binding>
</ws2007HttpBinding>

    What do I need to change here so I can get this to work?  This is the first time I've had to implement any type of security in a WCF service.  All other services I've worked with in the past were behind the firewall so security wasn't a big issue.

    Friday, June 21, 2013 12:11 PM

Answers