I am trying to test a simple scenario in my development machine wherein I have a service which is configured on basicHttpbinding. I am trying to use CustomUserNamePasswordValidator and have configured Security level as "TransportWithMessageCredential"
Now, when I test the service with a web client (both service and client on Asp.net development server), service completely ignores the validator and simply returns the data, although I am passing wrong credentials from my client.
Is it because I am using VS Development Server ?
Is use of SSL over HTTP manadatory when we use TransportWithMessageCredentials. Is there an alternative wherein I need not use Https ?
WCF does not support any configurations out of the box which would permit transmission of unsecured credentials.
Related
I have a ASP.Net WebAPI service that is used by my AngularJS front end and I am making use of Owin and bearer token.
Now there is a need that we need to install an agent on the few of the client machines (developed in .Net core mostly) that is able to connect to our application and make similar calls. I can create a separate controller for this need, but want to host it in the same website.
How can I create a secure connection between this agent and the ASP.Net server hosted on Azure?
Currently I am looking at generating a Token during the agent installation based on the client MAC address and giving it with each call, but I am checking if there are any better way to address this need.
Any help in this direction is welcome.
Regards
Kiran
It seems that you’d like to enable only valid “agents” that installed on the client machines to communicate with your server, if that is the case, Azure AD provides Native Application to Web API authentication scenario (a native application that runs on a phone, tablet, or PC needs to authenticate a user to get resources from a web API that is secured by Azure AD), you could refer to it.
I found great article about client/server implementation via Self Host Web API
http://www.asp.net/web-api/overview/older-versions/self-host-a-web-api
And I am wondering about the correct authentication method for this model (Self Host Web API ).
Have I use a bearer token authentication? Is there any other method?
Or for example http://www.asp.net/web-api/overview/security/individual-accounts-in-web-api
I have following working requirements:
C# http client must connect to Self Host Web API Windows Service and send files.
The connection must be secure 100%.
So how to protect WebAPI, any clue?
Have you checked this answer?
ASP.NET Web API Self-Host with Windows Authentication
Looks like is working quite well with Windows Authentication.
BTW, Bearer it's probably more flexible, but it depends on your needs.
BTW(2): HTTPS is a must if you want to achive an high level of security, but 100% looks veeery high :)
I have an application which is structured as:
Web Application - WCF Service - Database
All communicate to and from the database goes through the WCF Service, the Web Application is not able to directly talk to the database. I needed to protect the data as it travels across, so i setup SSL on my local machine to test and configured it in IIS, so now the WCF Service has to be hit using HTTPS. However, I did not setup my Web Application to use HTTPS, is that ok? I thought since the WCF Service is doing all the transferring of data, it's the only one that needs HTTPS.
Thanks.
If you're interested in encrypting your data, you need to make sure it's passed encrypted on all tiers of your application. From your description it seems that the data passed from the user to the WebApplication itself is unencrypted and therefor passed in clear text. This means that anyone that "listens" to the traffic between your users and the Web Application can intercept the data.
I recommend adding SSL on the Web Application too, to make sure that your data passes encrypted through all 3 tiers of your application.
We have built a WCF service for an application and everything is working out well, using WSHttpBinding. We now have been asked to make sure the communication between the Web Application -> WCF -> Database is secure and have been asked to use SSL. Along with that they are requesting we make sure the WCF service can not be accessed by another application.
If we setup SSL, does that block others from trying to get in, or we do still need to setup the clientCredentialType setting on the service? Also the entire application (site, wcf, db) will be within a company's network, so if we setup the clientCredentialType="Windows" which account is used, how does WCF know to allow the website to talk to it, which Windows account are they using, or this an account we need to setup?
Thanks.
SSL has nothing to do with Authentication or Authorization.
It does 2 things:
prevents third parties from intercepting your traffic.
verifies that people are who they say they are.
The requirement "make sure the WCF service can not be accessed by another application" needs to be handled through some Authentication / Authorization mechanism. You could use Basic or Windows depending on your needs.
Since you're in the company's network, I'd attempt to use Windows Authentication. This will force clients to be authenticated through your domain, however it looks like you don't want just any domain user to have access. In this case, you need to set up either Role based authorization, or user based. Either war, you can drop a Web.config file into the same folder as the WCF service endpoint specifying what accounts are authorized. Other users will see a 401 Unauthorized.
This is the general approach I'd take.
I have a wcf service hosted in IIS. Currently this service is required to be accessed by only one internet facing application (Client A). Both client and server has proper production certificates installed. I have a feeling that I can use them identify each other as that's one of the purpose of certifcates but I am so confused with so many flair of configuration options available in WCF. What is the best and concise way of achieving it. A lot of solution seems to either rely on username/password way regardless of where the client appiication is or either just identify client by using
<message clientCredentialType="Certificate" />
However I am using clientCerdentialType = "UserName" in order to use username/password scheme of authentication and authorisation.
I looked at the similar question at How to configure a WCF service to only accept a single client identified by a x509 certificate but no luck.