Geek Answers Handbook

Is a TransportWithMessageCredential without a certificate secure enough for the WCF service?

I developed a standalone WCF service, for which I have two basic security requirements, as they will be available over the Internet:

  • The transport layer should prevent falsification and sniffing, especially the search for authentication data. This is what SSL does, but from what I saw when setting up SSL, you need to install certificates (except, perhaps, through this hack , which uses files with a regular certificate), which I prefer not to do.

  • The authentication level should consist of a username / password validator.

I configured my service to use:

<security mode="TransportWithMessageCredential"> <message clientCredentialType="UserName" /> <transport clientCredentialType="Basic" /> </security>

Even if the transport layer is HTTP (and not HTTPS), does this make WCF a different level of security equivalent to SSL? If not, what is the difference in security?

Also, is there a way to protect the metadata endpoint without using an SSL certificate (not important, but will be appreciated)?

Here is my complete self-service configuration code:

 <?xml version="1.0"?> <configuration> <startup><supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.0"/></startup> <system.serviceModel> <services> <service name="MyService"> <host> <baseAddresses> <add baseAddress = "http://localhost:8000/Services" /> </baseAddresses> </host> <endpoint address ="MyService" binding="wsHttpBinding" contract="IMyService"> <identity> <dns value="localhost"/> </identity> </endpoint> <endpoint address="mex" binding="mexHttpBinding" contract="IMetadataExchange"/> </service> </services> <bindings> <wsHttpBinding> <binding name="Binding1" maxReceivedMessageSize="2147483647"> <security mode="TransportWithMessageCredential"> <message clientCredentialType="UserName" /> <transport clientCredentialType="Basic" /> </security> </binding> </wsHttpBinding> </bindings> <behaviors> <serviceBehaviors> <behavior> <serviceMetadata httpGetEnabled="True"/> <serviceCredentials> <userNameAuthentication userNamePasswordValidationMode="Custom" customUserNamePasswordValidatorType="CR.Common.Services.CustomValidator, Common" /> </serviceCredentials> </behavior> </serviceBehaviors> </behaviors> </system.serviceModel> </configuration>

Thanks!

+8
security c # web-services wcf
source share
1 answer

By default, all WCF secure bindings (for example, wsHttpBinding) will encrypt and sign messages.

SSL is required to use a certificate, and the link you hack is a wcf hack, not SSL. Because without SSL WCF prohibit the use of basicHttpBinding (which send xml to clear) and UserNamePasswordValidator, because in this case anyone who intercepts the message can get a username / password.

With WSHttpBinding, you can avoid SSL and put security at the message level.

I highly recommend you read this article , especially the Service credentials and negotiation section:

>

To support mutual authentication and message security, services must provide credentials to the caller. When transport security (SSL) is used, service credentials are negotiated through the transport protocol. Service credentials for message security can also be negotiated using Windows credentials; otherwise the service certificate must be specified

Using UserNamePasswordValidator you must configure the certificate on the server to enable the client to sign and encrypt each message (using the public key of the certificate). If you used Windows authentication, you won’t need it.

Why are you so worried about the certificate?

+10
source share

More articles:


All Articles