none
WCF security and dynamic service behavior RRS feed

  • Question

  • I have a WCF service application (IIS hosted) and a WPF client deployed within the internal domain and also a web application deployed in the DMZ. I intend to use net.tcp bindings from both the web and WPF applications to call the same service.

    The idea is to decorate the service methods with PrincipalPermission attribute and use both Role and Name. Name for the web DMZ calls with certificate and Role for the WPF windows domain calls. I would like to achieve this without duplicating the service implementations and for this to work I guess I need a dynamic service behavior.

    Is this doable and in that case how?

    Thursday, May 2, 2013 1:13 PM

Answers

  • Hi,

    From your description, it seems that you want to provide different security restrictions for different client, if so, you may consider create different endpoints for the same service. You can specify the endpoint used to communicate with different clients.

    For example, one endpoint with netTcpBinding using Windows authentication with transport security( this is by default, you do not have to change any other configuration in the binding); another endpoint with netTcpBinding using certificate authentication with transport security, setting the security mode and transport credential type, like

    <netTcpBinding>
      <binding name="certificateTcpBinding">
        <security mode="Transport" >
           <message clientCredentialType="Certificate" />
        </security>
      </binding>
    </netTcpBinding>

    Reference on using multiple Endpoints

    http://msdn.microsoft.com/en-us/library/ms751515.aspx

    Multiple Endpoints for a WCF Service

    http://hectorcorrea.com/blog/multiple-endpoints-for-a-wcf-service

    Best Regards.


    Haixia
    MSDN Community Support | Feedback to us
    Develop and promote your apps in Windows Store
    Please remember to mark the replies as answers if they help and unmark them if they provide no help.

    Friday, May 3, 2013 2:18 AM
    Moderator

All replies

  • Hi,

    From your description, it seems that you want to provide different security restrictions for different client, if so, you may consider create different endpoints for the same service. You can specify the endpoint used to communicate with different clients.

    For example, one endpoint with netTcpBinding using Windows authentication with transport security( this is by default, you do not have to change any other configuration in the binding); another endpoint with netTcpBinding using certificate authentication with transport security, setting the security mode and transport credential type, like

    <netTcpBinding>
      <binding name="certificateTcpBinding">
        <security mode="Transport" >
           <message clientCredentialType="Certificate" />
        </security>
      </binding>
    </netTcpBinding>

    Reference on using multiple Endpoints

    http://msdn.microsoft.com/en-us/library/ms751515.aspx

    Multiple Endpoints for a WCF Service

    http://hectorcorrea.com/blog/multiple-endpoints-for-a-wcf-service

    Best Regards.


    Haixia
    MSDN Community Support | Feedback to us
    Develop and promote your apps in Windows Store
    Please remember to mark the replies as answers if they help and unmark them if they provide no help.

    Friday, May 3, 2013 2:18 AM
    Moderator
  • Hi,

    As far as I understand the endpoint configuration doesn't quite do it for me. I believe I also need to apply these different configurations to the service.

          <serviceBehaviors>
            <behavior name="certBehavior">
              <serviceMetadata httpGetEnabled="true"
                               policyVersion="Policy15" />
              <serviceDebug includeExceptionDetailInFaults="true" />
              <serviceAuthorization principalPermissionMode="UseAspNetRoles" />
              <serviceCredentials>
                <clientCertificate>
                  <authentication certificateValidationMode="PeerTrust" />
                </clientCertificate>
                <serviceCertificate findValue="TestCert1"
                                    storeLocation="LocalMachine"
                                    storeName="TrustedPeople"
                                    x509FindType="FindBySubjectName" />
              </serviceCredentials>
            </behavior>
            <behavior name="windowsBehavior">
              <serviceMetadata httpGetEnabled="true"
                               policyVersion="Policy15" />
              <serviceDebug includeExceptionDetailInFaults="true" />
            </behavior>
          </serviceBehaviors>

    Best Regards

    Mattias

    Friday, May 3, 2013 7:04 AM
  • Hi,

    Yes, you need more configurations and have the certificate installed properly in your mmc certificate store. Find an example provide by Bin-ze Zhao in a thread below on configuring for both client and service when using certificate authentication.

    http://social.msdn.microsoft.com/Forums/en-US/wcf/thread/a8c6d49d-5b71-437c-985f-9145f3dd199d

    Best Regards.


    Haixia
    MSDN Community Support | Feedback to us
    Develop and promote your apps in Windows Store
    Please remember to mark the replies as answers if they help and unmark them if they provide no help.

    Friday, May 3, 2013 10:22 AM
    Moderator
  • Hi Haixia,

    I don't have any problem getting the behaviors working individually. It's the combination of both with the same service implementation that is the issue.

    Best regards

    Mattias

    Friday, May 3, 2013 11:06 AM
  • I don't see any other way than creating a new "empty" inherited service implementation and a new host file.

    public class Service1_ : Service1
    { }

    <%@ ServiceHost Language="C#" Debug="true" Service="WcfLibrary1.Service1_" CodeBehind="WcfLibrary1.Service1_.cs" %>

    Friday, May 3, 2013 1:24 PM
  • Hi,

    >> It's the combination of both with the same service implementation that is the issue.

    If you mean using multiple endpoints for a service, you just need configure it in the config file as mentioned in a sample here.

    Best Regards.


    Haixia
    MSDN Community Support | Feedback to us
    Develop and promote your apps in Windows Store
    Please remember to mark the replies as answers if they help and unmark them if they provide no help.

    Monday, May 6, 2013 10:22 AM
    Moderator