没有客户端证书的WCF消息/方法安全性

Question

I have a WCF service, hosted in IIS. On the service, I have about 20 methods in the service. I would like to secure SOME of those methods with username/password. I don't have any control over the clients that are calling the service, so I can't install a certificate on the client. Our services act as a platform, holding all the user profile information, including login information.

I THINK that I would like the clients to authenticate once to the Authenticate(username,password) method on the WCF service, get an authorization token back, and pass that token for subsequent calls. (Sort of like Asp.net membership providers use of forms auth sessions). I don't want the client to have to pass the username/password for every method call, if possible. Is this the right pattern? Is there a better way to get this feature to work using standard WCF functionality? Does anybody have any sample config/code to show the right way to get this to work?

Answer 1

WCF does not provide per operation authentication out of the box. If you want secured and unsecured operations the easiest approach is to divide them into two service contracts and expose each with different security settings.

Your idea of authorization token is already implemented in WCF but in your scenario you have to use wsHttpBinding, UserName client credentials, SecurityContext and service certificate.

  <system.serviceModel>
    <behaviors>
      <serviceBehaviors>
        <behavior name="securedService">
          <serviceCredentials>
            <serviceCertificate x509FindType="FindBySubjectName" findValue="ServerCert" 
                                storeLocation="LocalMachine" storeName="My"/>
          </serviceCredentials>
        </behavior>
      </serviceBehaviors>
    </behaviors>
    <bindings>
      <wsHttpBinding>
        <binding name="Secured">
          <security mode="Message">
            <message clientCredentialType="UserName" establishSecurityContext="true" />
          </security>
        </binding>
      </wsHttpBinding>
    </bindings>
    <services>
      <service name="MessageSecurity.Service" behaviorConfiguration="securedService">
        <endpoint address="" binding="wsHttpBinding" bindingConfiguration="Secured"
                  contract="MessageSecurity.IService">
        </endpoint>
      </service>
    </services>
  </system.serviceModel>

SecurityContext is interoperable feature based on WS-SecureConversation. It requires passing user name and password only in first call from service proxy instance (in WCF this is fully transparent - client proxy instance maintains security context). Following calls only use security token issued during first call. SecurityContext is turned on by default in wsHttpBinding.

This configuration will also encrypt and sign messages - it is full power WS-Security. Any other approach is just up to you. You will have to implement it completely by yourselves.

You mentioned that you don't have control over clients. It doesn't mean that you can't use certificate. If you use certificate, it is responsibility of clients to get it if they want to call your service. It has nothing to do with control over clients its about trust to the certificate - for public web service it means buying the certificate from trusted certification authority.

Moreover it is possible to get service certificate without installing it. First possibility is to use certificate as endpoint identity. In such case, encoded certificate is part of WSDL:

<wsdl:service name="Service">
  <wsdl:port name="WSHttpBinding_IService" binding="tns:WSHttpBinding_IService">
    <soap12:address location="http://localhost:1432/Service.svc" /> 
    <wsa10:EndpointReference>
      <wsa10:Address>http://localhost:1432/Service.svc</wsa10:Address> 
      <Identity xmlns="http://schemas.xmlsoap.org/ws/2006/02/addressingidentity">
        <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
          <X509Data>
            <X509Certificate>MIICmzCCAYegAwI....<X509Certificate> 
          </X509Data>
        </KeyInfo>
      </Identity>
    </wsa10:EndpointReference>
  </wsdl:port>
</wsdl:service>

This is automatically done if you specify wsHttpBinding endpoint with service certificate configured and you do not set its identity. Drawback of this method is that certificate expiration. If you change expired certificate all clients must be updated.

Second possibility is to enable service credentials negotiation:

<bindings>
  <wsHttpBinding>
    <binding name="Secured">
      <security mode="Message">
        <message clientCredentialType="UserName" negotiateServiceCredential="true"/>
      </security>
    </binding>
  </wsHttpBinding>
</bindings>

Negotiation is turned on by default. It uses TLSNego protocol to exchange service credentials (certificate) before secure communication starts. Drawback of this method is that TLSNego is not supported by all platforms.

Answer 2

FYI: If you want to use the built-in WCF custom user/pass subsystem, WCF 4.0 introduced an Allow Insecure Transport property . This allows you to use the WCF security subsystem without certs etc... This is useful in situations where you consider the messaging to be secured even though WCF doesn't think it is (such as when SSL is done on an appliance level instead of a webserver level, or when IP filtering is used).