Security Overview. WCF provides a versatile and interoperable platform for exchanging secure messages based upon both the existing security infrastructure and the recognized security standards for SOAP messages. WCF not only integrates with existing security infrastructures, but also extends distributed security beyond Windows- only domains by using secure SOAP messages. Consider WCF an implementation of existing security mechanisms with the major advantage of using SOAP as the protocol in addition to existing protocols. For example, credentials that identify a client or a service, such as user name and password or X. XML- based SOAP profiles. Using these profiles, messages are exchanged securely by taking advantage of open specifications like XML digital signatures and XML encryption. For a list of specifications, see Web Services Protocols Supported by System- Provided Interoperability Bindings. COM has a comprehensive security mechanism whereby security context can be flowed between components; this mechanism enforces integrity, confidentiality, and authentication. However COM does not enable cross- platform, secure messaging like WCF does. Learn how to use the SharePoint Approval workflow to route a document or item for approval or rejection to automate business processes and to become more efficient. Three ways to programmatically duplicate a table in MS Access by VBA Duplicating a table in Access manually is extremely easy - just Copy and then Paste the table object. WCF uses concepts that are familiar if you have built secure, distributed applications with existing technologies such as HTTPS, Windows integrated security, or user. ![]() Using WCF, you can build services and clients that span from Windows domains across the Internet. The interoperable messages of WCF are essential for building dynamic, business- driven services that help you feel confident in the security of your information. Using WCF, you can create applications that function as both services and service clients, creating and processing messages from an unlimited number of other services and clients. In such a distributed application, messages can flow from node to node, through firewalls, onto the Internet, and through numerous SOAP intermediaries. This introduces a variety of message security threats. The following examples illustrate some common threats that WCF security can help mitigate when exchanging messages between entities: Observation of network traffic to obtain sensitive information. For example, in an online- banking scenario, a client requests the transfer of funds from one account to another. A malicious user intercepts the message and, having the account number and password, later performs a transfer of funds from the compromised account. In this scenario, a malicious user (the rogue) acts as an online service and intercepts messages from the client to obtain sensitive information. Then the rogue uses the stolen data to transfer funds from the compromised account. This attack is also known a phishing attack. For example, altering the account number to which a deposit is made allows the funds to go to a rogue account. For example, an online bookstore receives hundreds of orders and sends the books to a customer who has not ordered them. In this case, the service cannot assure that the appropriate person performed the transaction. Some take advantage of a security infrastructure that has already been deployed, such as Windows domains using Active Directory. It is often necessary to integrate with these existing technologies while evaluating and adopting newer ones. These entities in communication use . As distributed communication platforms evolved, various credential authentication and related security models have been implemented. For example, on the Internet, the use of a user name and password to identify users is common. On the intranet, the use of a Kerberos domain controller to back up user and service authentication is becoming common. In certain scenarios, such as between two business partners, certificates may be used to mutually authenticate the partners. WCF security supports a wide variety of credential types (authentication models) including: Anonymous caller. Distributed computing/communications platforms need to interoperate with the technologies different vendors offer. Likewise, security must also be interoperable. Specifically regarding security, a few notable standards have been proposed: WS- Security: SOAP Message Security (accepted by the OASIS standards body and formerly known as WS- Security), WS- Trust, WS- Secure. Conversation, and WS- Security. Policy. The Basic. Http. Binding class is targeted at the Basic Security Profile (BSP) and the WSHttp. Binding class is targeted at the latest security standards, such as WS- Security 1. WS- Secure. Conversation. By adhering to these standards, WCF security can interoperate and integrate with Web services that are hosted on operating systems and platforms other than Microsoft Windows. The following sections briefly discuss these areas and provide links for more information. Integrity is the ability to detect whether a message has been tampered with. Confidentiality is the ability to keep a message unreadable by anyone other than the intended recipient; this is achieved through cryptography. Authentication is the ability to verify a claimed identity. Together, these three functions help to ensure that messages securely arrive from one point to another. Transport mode has the advantage of being widely adopted, available on many platforms, and less computationally complex. However, it has the disadvantage of securing messages only from point- to- point. Because the message security is applied directly to the SOAP messages and is contained inside the SOAP envelopes, together with the application data, it has the advantage of being transport protocol- independent, more extensible, and ensuring end- to- end security (versus point- to- point); it has the disadvantage of being several times slower than transport security mode because it has to deal with the XML nature of the SOAP messages. This mode is called Transport. With. Message. Credential. In this mode, message security is used to authenticate the client and transport security is used to authenticate the server and provide message confidentiality and integrity. Thanks to this, the Transport. With. Message. Credential security mode is almost as fast as transport security mode and provides client authentication extensibility in the same way as message security. However, unlike message security mode, it does not provide complete end- to- end security. Authorization allows different users to have different privileges to view data. For example, because a company's human resources files contain sensitive employee data, only managers are allowed to view employee data. Further, managers can view only data for their direct reports. In this case, access control is based on both the role (. For details about access control and claims- based authorization, see Extending Security. You can log security- related events, such as authentication failures (or successes). For more information, see. Auditing. For programming details, see How to: Audit Security Events.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. Archives
October 2017
Categories |