Chapter 5: Protecting a WCF Service over the Internet


image from book Download CD Content

Overview

After completing this chapter, you will be able to:

  • Describe how to configure and use the SQL Membership Provider and the SQL Role Provider for ASP.NET to store and query user identity and role information for a WCF service.

  • Explain how to configure a WCF service to authenticate users by using certificates.

  • Describe how to use certificates to authenticate a WCF service to a client application.

Managing client application and WCF service security inside an organization requires some thought, but WCF provides bindings and behaviors that you can use to simplify many of the tasks associated with protecting communications. Together with the authentication and authorization features included with the .NET Framework 3.0, you can help to ensure that clients and services transmit messages in a confidential manner and have a reasonable degree of confidence that only authorized users are submitting requests to services. However, bear in mind that an organization’s internal network is a relatively benign environment because of its inherent privacy–hackers might be able to penetrate your network, but this is an exceptional circumstance rather than the norm. As long as your system and network administrators maintain the security of the organization’s infrastructure, you can assume a certain degree of trust between client applications and services. Features such as message encryption, authentication, and authorization are important, but they can operate at the relatively unobtrusive level described in Chapter 4 “Protecting an Enterprise WCF Service.”

When you start connecting client applications and services across a public network such as the Internet, you can no longer make any assumptions about the trustworthiness of client applications, services, or the communications passing between them. For example, how does a client application verify that the service it is sending messages to is the real service and not some nefarious spoof that happens to have supplanted the real service or that is simply intercepting and logging messages before forwarding them on to the real service? How does a service know that the user running the client application is who he or she says she is? How does a service distinguish genuine requests sent by an authenticated client application from those generated by some program written by an attacker attempting to probe the service by sending it messages and seeing whether the service responds with any error information that displays any potential security weaknesses? The Internet is a potentially hostile environment, and you must treat all communications passing over it with the utmost suspicion. In this chapter, you will examine some techniques that you can use to help protect client applications, services, and the information transmitted between them.




Microsoft Windows Communication Foundation Step by Step
Microsoft Windows Communication Foundation Step by Step (Step By Step Developer Series)
ISBN: 0735623368
EAN: 2147483647
Year: 2007
Pages: 105
Authors: John Sharp

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net