HTTPS-enabled, IIS hosted WCF service, How to secure it?
Question
I have built a fairly simple WCF service, which I host on an IIS 7.5 instance. I have gone about the necessary steps to secure an ssl certificate to enable https. I have resolved all the various DNS settings so I can now hit my WCF at the given Https:// URL from the world at large. The goal is this: Some sort of client/server authentication for the approximately 5 clients that will be sending data to the service. What is the best approach to securing this service? It is very simple at this point with only one method. I'm sure there will be some changes to the web.config as well as the codebehind. Examples greatly appreciated.
Here's Web.config
<!-- language: lang-xml -->
<?xml version="1.0"?>
<configuration>
<appSettings>
<add key="aspnet:UseTaskFriendlySynchronizationContext" value="true" />
</appSettings>
<system.web>
<compilation debug="true" targetFramework="4.5" />
<httpRuntime targetFramework="4.5"/>
</system.web>
<system.serviceModel>
<services>
<service name="wcflistener.Service1">
<endpoint address=""
binding="basicHttpBinding"
bindingConfiguration="secureHttpBinding"
contract="wcflistener.IService1"/>
<endpoint address="mex"
binding="mexHttpsBinding"
contract="IMetadataExchange" />
</service>
</services>
<bindings>
<basicHttpBinding>
<binding name="secureHttpBinding">
<security mode="Transport">
<transport clientCredentialType="None"/>
</security>
</binding>
</basicHttpBinding>
</bindings>
<behaviors>
<serviceBehaviors>
<behavior>
<!-- To avoid disclosing metadata information, set the values below to false before deployment -->
<serviceMetadata httpGetEnabled="true" httpsGetEnabled="true"/>
<!-- To receive exception details in faults for debugging purposes, set the value below to true. Set to false before deployment to avoid disclosing exception information -->
<serviceDebug includeExceptionDetailInFaults="true"/>
</behavior>
</serviceBehaviors>
</behaviors>
</system.serviceModel>
<system.webServer>
<modules runAllManagedModulesForAllRequests="true"/>
<!--
To browse web app root directory during debugging, set the value below to true.
Set to false before deployment to avoid disclosing web app folder information.
-->
<directoryBrowse enabled="true"/>
</system.webServer>
</configuration>
And the very simple Service1.svc.cs
[DataContract]
public class Service1 : IService1
{
public void SampleMethod(DataTable table, string name)
{
//sample method logic here
}
}
1 answers
solution1
0 ACCPTED 2014-04-03 23:12:08
With WCF, there are several security options available to you, all having their pros/cons:
- SSL + Use of Windows Authentication. (this is normally difficult for internet hosted services since everybody needs to talk to the same domain controller)
- SSL + Username/password: WCF can facilitate this easily, where the client passes in a username/password and the service can verify the values with the pre-configured values and allow the client further.
- Certificate based Authetication: typically, clients can be given public keys of your server certificate so that they can call the service using that. this however does not identify the client completely. anybody can get your public key.
- Mutual Certificates OR 2 way SSL: this is when the client has a private key and gives the public key to the service. and vice-versa, ie the service gives its public key to the client.
it depends on what level of authentication you need. for very few clients, username/password is sufficient. (there is always the risk of losing those)
for major clients 2 way SSL are pretty secure, since people don't lose private keys so easily.
depending on your choice, further code samples can be shared.
For option #, follow this link. (you can use your SSL certificate in the below steps)
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.