none
How to give WCF security without any authentication RRS feed

  • Question

  • i heard but i am not sure that some kind of security can be given by wcf message header as a result other people may not be able to get wcf data when no authentication is used.

    so anyone knows anything about it then please share the knowledge. if my wcf service has no auth then any one can connect and get data. so how could we provide security as a result other people can not get data from my service when my service has no auth implemented. any trick exist with message header.

    thanks

    Friday, November 13, 2015 10:02 AM

Answers

  • Mou,

    I think an interactive video will be helpful for you in this case. Please watch he following video specialle from time 13:00 minute, here you can see them in action.

    Part 47 WCF security

    From app.config file related post in earlier post,

    <bindings>
          <netTcpBinding>
            <binding name="DefaultBinding" receiveTimeout="00:10:00" sendTimeout="00:10:00">
              <security mode="Transport">
                <transport protectionLevel="None" />
              </security>
            </binding>
          </netTcpBinding>
    </bindings>

    Here,

    > Inside <binding> tag I am describing what type of binding I am using and its behavior/ configuration.

    > The <netTcpBinding> tag defingng I am using netTcpBinding in my <endpoint> tag. 

    > <binding name="DefaultBinding" receiveTimeout="00:10:00" sendTimeout="00:10:00"> binding name="DefaultBinding" here whatever name you want you can give. This is the bindingConfigurationName. receiveTimeout="00:10:00" sendTimeout="00:10:00" these defines how long a message wait for response. This is like session management in web page.

    > <security mode="Transport"> Here I am defining the security mode for netTcpBinding and it is Transport that means my message will get encrypted it transport layer. Example: if your message is Hello the it will encrypt into aGcwq something like this. If you use "None" The message will be open to the world.

    > <transport protectionLevel="None" /> Here I am defining just encrypt the message no password require.

    Hope you will get an idea from this. Knowledge of 7 layer of OSI model is important i  this case.

    You could also this WCF Tutorial video series as it has good explanation 

    Thanks,

    Sabah Shariq



    • Edited by Sabah ShariqMVP Friday, November 13, 2015 8:24 PM
    • Marked as answer by Mou_kolkata Saturday, November 14, 2015 10:32 AM
    Friday, November 13, 2015 8:00 PM

All replies

  • Hi Mou,

    Thare's a tag <transport protectionLevel> in your app.config file. You can use this to assign security.

    You could watch this video: Authentication in WCF

    <bindings>
          <netTcpBinding>
            <binding name="DefaultBinding" receiveTimeout="00:10:00" sendTimeout="00:10:00">
              <security mode="Transport">
                <transport protectionLevel="None" />
              </security>
            </binding>
          </netTcpBinding>
    </bindings>

    Thanks

    Sabah Shariq


    Friday, November 13, 2015 12:07 PM
  • thanks for answer. it would be great if you explain the meaning of config related entries you pasted here.

    i asked that i want to provide security with implementing any authentication in wcf. from your write up it is still not clear what you try to say. what the above setting will do?

    i am new in wcf.......so please guide me in details.

    Friday, November 13, 2015 3:10 PM
  • Mou,

    I think an interactive video will be helpful for you in this case. Please watch he following video specialle from time 13:00 minute, here you can see them in action.

    Part 47 WCF security

    From app.config file related post in earlier post,

    <bindings>
          <netTcpBinding>
            <binding name="DefaultBinding" receiveTimeout="00:10:00" sendTimeout="00:10:00">
              <security mode="Transport">
                <transport protectionLevel="None" />
              </security>
            </binding>
          </netTcpBinding>
    </bindings>

    Here,

    > Inside <binding> tag I am describing what type of binding I am using and its behavior/ configuration.

    > The <netTcpBinding> tag defingng I am using netTcpBinding in my <endpoint> tag. 

    > <binding name="DefaultBinding" receiveTimeout="00:10:00" sendTimeout="00:10:00"> binding name="DefaultBinding" here whatever name you want you can give. This is the bindingConfigurationName. receiveTimeout="00:10:00" sendTimeout="00:10:00" these defines how long a message wait for response. This is like session management in web page.

    > <security mode="Transport"> Here I am defining the security mode for netTcpBinding and it is Transport that means my message will get encrypted it transport layer. Example: if your message is Hello the it will encrypt into aGcwq something like this. If you use "None" The message will be open to the world.

    > <transport protectionLevel="None" /> Here I am defining just encrypt the message no password require.

    Hope you will get an idea from this. Knowledge of 7 layer of OSI model is important i  this case.

    You could also this WCF Tutorial video series as it has good explanation 

    Thanks,

    Sabah Shariq



    • Edited by Sabah ShariqMVP Friday, November 13, 2015 8:24 PM
    • Marked as answer by Mou_kolkata Saturday, November 14, 2015 10:32 AM
    Friday, November 13, 2015 8:00 PM
  • thanks for nice reply. still few things is not clear. you said

    <security mode="Transport"> Here I am defining the security mode for netTcpBinding and it is Transport that means my message will get encrypted it transport layer. Example: if your message is Hello the it will encrypt into aGcwq something like this. If you use "None" The message will be open to the world.

    i have doubt that how automatically message will be encrypted just for security mode="Transport"

    i heard people use SSL to encrypt message but i do not know how message can be encrypted without ssl?

    please help me to understand this.

    what is the meaning of <transport protectionLevel="None" /> ?

    what other options are there for protectionLevel ?

    what is receiveTimeout="00:10:00" and sendTimeout="00:10:00" ?

    what receive timeout does ?

    what send timeout does ?

    please discuss. thanks





    • Edited by Mou_kolkata Saturday, November 14, 2015 10:34 AM
    Saturday, November 14, 2015 10:32 AM
  • Hi Mou,

    >> i have doubt that how automatically message will be encrypted just for security mode="Transport"

    i heard people use SSL to encrypt message but i do not know how message can be encrypted without ssl?

    When system is configured with ‘Transport’ mode, WCF uses secured communication protocol. The available secure transports are HTTPS, TCP, IPC and MSMQ. Transport security encrypts all communication on the channel and provides integrity, privacy and mutual authentication. If you want to see that messages are encrypted you could use some network monitoring tool (Fiddler etc.)

    >> what is the meaning of <transport protectionLevel="None" /> ?

    what other options are there for protectionLevel ?

    <copied>

    Authentication

    Authentication is the act of verifying that the caller of a service is indeed who that caller claims to be. While authentication is typically referred to in the context of verification of the caller, from the client perspective there is also a need for service authentication; that is, assuring the client that the service it calls really is the service it intends to call. This is especially important with clients who call over the Internet, because if a malicious party subverts the client's DNS service, it could hijack the client's calls. WCF offers various authentication mechanisms:

    No authentication

        The service does not authenticate its callers, and virtually all callers are allowed.
    Windows authentication

        The service typically uses Kerberos when a Windows Domain Server is available, or NTLM when deployed in a workgroup configuration. The caller provides the service with its Windows credentials (such as a ticket or a token) and the service authenticates that against Windows.
    Username and password

        The caller provides the service with a username and a password. The service then uses these credentials against some kind of credentials store, such as Windows accounts or a custom credentials store (such as a dedicated database).
    X509 certificate

        The client identifies itself using a certificate. Typically, that certificate is known in advance to the service. The service looks up the certificate on the host side and validates it, thus authenticating the client. Alternatively, the service may implicitly trust the issuer of the certificate and hence the client presenting it.
    Custom mechanism

        WCF allows developers to replace the built-in authentication mechanisms with any protocol and credential type, such as using biometrics. These custom solutions are beyond the scope of this book.
    Issued token

        The caller and the service can both rely on a secure token service to issue the client a token that the service recognizes and trusts. Such a service is typically federated and encapsulates the act of authenticating and securing the call. Windows CardSpace is an example of such a secure token service. However, federated security and CardSpace are beyond the scope of this book.

    </copied>

    >> what is receiveTimeout="00:10:00" and sendTimeout="00:10:00" ?

    what receive timeout does ?

    what send timeout does ?

    receiveTimeout: How long a client wait for service to accept request.

    sendTimeoyt: How long a service wait for client to accept response.

    You could read this article for more information: Security

    Hope this helps you.

    Thanks,

    Sabah Shariq


    Monday, November 16, 2015 2:23 PM