Do you secure your web services using WCF over WSE3 and SSL?
10/20/2010 7:56 PM by
Windows Communication Foundation (WCF) extends .NET Framework to enable building secure, reliable & interoperable Web Services.
WCF demonstrated interoperability with using the Web Services Security (WSS) including UsernameToken over SSL, UsernameToken for X509 Certificate and X509 Mutual Certificate profiles.
WSE has been outdated and replaced by WCF and has provided its own set of attributes that can be plugged into any Web Service application.
Implementation of security at the message layer security has several policies that can suite any environment including:
At SSW we implement UserName Token using the standard login screen that prompts for a Username and a Password, which then gets passed into the SOAP header (at message level) for authorization.
- Windows Token
- UserName Token
- Kerbose Token
- X.509 Certificate Token
This requires SSL which provides a secure tunnel from client to server.
However, message layer securtiy does not provide authentication security, so it does not stop the ability for a determined hacker to try user name / password attempts forever. Custom Policies setup at Application Level can to prevent brute force.
Indigo has got the smarts to negotiate to the most performant serialization and transport protocol that either side of the WS conversation can accommodate, so it will have the best performance having "all-things-being-equal". You can configure the web services SSL session simply in the web.config file.
After having Configure an SSL certificate (in the LocalMachine store of the server), the following lines are required in the web.config:
<service type="WCFService" name="WCFService"
<endpoint contract="IWCFService" binding="wsHttpBinding"
<binding name="WSHttpBinding_IWCFServiceBinding" >
<message clientCredentialType="UserName" />
<behavior name="ServiceBehaviour" returnUnknownExceptionsAsFaults="true" >
<serviceCertificate findValue="CN=SSW" storeLocation="LocalMachine"
Figure: Setting the SSL to Web Service for Message Layer Security.
Do you feel this rule needs an update?