Geek Answers Handbook

What is the fastest security configuration for netTcpBinding?

I am running the WCF service, which, among other things, is used as the back of the website. Since both the website and the WCF service are running on the same computer, and in the interest of performance, I configured it using netTcpBinding.

Now the fact is that, since they exist in one box, I really do not care about security at the transport level, nor about encryption at the message level; the only possible way to intercept messages is if someone gets to the web server itself, and if they do, I already have big problems.

So my question is: when the client and server are already in the trusted subsystem, what configuration can be used to ensure that netTcpBinding is as fast as possible?

Of course, the answer may be to use "none" security. But in my specific case, I still need to use UserName authentication for the user database. Can it be configured so that it still uses UserName authentication, but does not bother with certificates or ensures data security between endpoints? Or do I possibly need to implement custom behavior with a custom SOAP header to save the username / password, and then I can really set the security to "none"?

Server configuration

<netTcpBinding> <binding name="Net_Tcp_Binding"> <security mode="Message"> <message clientCredentialType="UserName" /> </security> </binding> </netTcpBinding>

It uses custom authentication UserName - basically, each call is authenticated and authorized against the user database. The service side also uses the certificate to negotiate with its customers, for example:

 <serviceBehaviors> <behavior name="MyBehavior"> <serviceMetadata httpGetEnabled="true" /> <serviceDebug includeExceptionDetailInFaults="true" /> <serviceAuthorization principalPermissionMode="Custom"> <authorizationPolicies> <add policyType="MyAssembly.CustomAuthorizationPolicy,MyAssembly" /> </authorizationPolicies> </serviceAuthorization> <serviceCredentials> <userNameAuthentication userNamePasswordValidationMode="Custom" customUserNamePasswordValidatorType="MyAssembly.CustomCredentialValidator,MyAssembly" /> <serviceCertificate x509FindType="FindBySubjectName" findValue="CN=servercert" storeLocation="LocalMachine" storeName="My" /> </serviceCredentials> </behavior> </serviceBehaviors>

Client configuration

 <netTcpBinding> <binding name="Net_Tcp_Endpoint"> <reliableSession ordered="true" inactivityTimeout="00:10:00" enabled="false" /> <security mode="Message"> <message clientCredentialType="UserName" /> </security> </binding> </netTcpBinding>
+6
security wcf nettcpbinding
source share
1 answer

No will be faster, yes :-)

On the other hand, if your service and backend are running on the same computer, you should also take a serious look at the netNamedPipe binding, which is absolutely optimal if you have "on the machine." It is even faster and more efficient than netTcp.

In order to authenticate the caller for the service, you will need to use some kind of security method - since netNamedPipe only supports "none" or "Windows", I would choose Windows. If you do not use any, you have no way to identify (authenticate) the caller, and therefore you cannot have authorization (who can do anything) based on the caller ID.

After you authenticate the caller (who is calling me), you can use either Windows groups or the built-in membership / role subsystem of the ASP.NET provider to perform role-based authorization to ensure that you can perform any operations. This can be configured using a service behavior called <serviceAuthoritzation> in the section of your service configuration behavior.

Mark

+4
source share

More articles:


All Articles