recent study [WCF comprehensive analysis] next volume of knowledge content for transport security to do a simple record, here simply record some points; contents of this article are from [WCF comprehensive analysis] next book;
WCF transport security mainly involves authentication, message consistency and confidentiality three themes; certification is a two-way authentication (server and client mutual authentication); consistency transfer content has not been tampered with; confidentiality is not random read ;
three security behavior: authentication, authorization, auditing
WCF two security modes: Transport security mode, Message security mode
(1) Transport security mode
advantages: high performance limitations than Message: dependency specific transport protocol, can only provide point-based, had to solve the transport layer client authentication; Intranet is a Transport Security Mode main application environment;
(2) Message security mode
advantages: the transport protocol independent, able to provide end to end secure transmission security, and there are a variety of authentication solutions for secure mode, Message security with good interoperability or Platform independence;
(3) mixed security mode (Mixed Mode)
For mixed security mode, message consistency, confidentiality, and authentication client service through Transport security mode to achieve, and implement the service using Message security mode on the client-authentication;
Transport security mode can not be avoided because of the limitations of mixed security mode can only provide point to point security.
one: Authentication (client user certificate type embodied server for client authentication methods different)
Configuration Example [P327] coding examples [P326]:
<bindings>
<netTcpBinding>
<binding name="transportTcpBinding">
<security mode="Transport">
<transport clientCredentialType="None"/>
</security>
</binding>
</netTcpBinding>
</bindings>
<services>
<service name="Artech.WcfServices.Service.CalculatorService" behaviorConfiguration="serviceCertificateBehavior">
<endpoint address="net.tcp://Jinnan-PC/calculatorservice" binding="netTcpBinding" bindingConfiguration="transportTcpBinding" contract="Artech.WcfServices.Service.Interface.ICalculator" />
</service>
</services>
system predefined bindings for different security modes supported
Systems Transport predefined bindings for different client certificate support
System Message predefined bindings for different client certificate support
two: Service Certification
Configuration Example [P337] coding examples [P337]
<services>
<service name="Artech.WcfServices.Service.CalculatorService"
behaviorConfiguration="serviceCertificateBehavior">
<endpoint address="net.tcp://Jinnan-PC/calculatorservice"
binding="netTcpBinding"
bindingConfiguration="transportTcpBinding"
contract="Artech.WcfServices.Service.Interface.ICalculator" />
</service>
</services>
<behaviors>
<serviceBehaviors>
<behavior name="serviceCertificateBehavior">
<serviceCredentials>
<serviceCertificate storeLocation="LocalMachine"
storeName="My"
x509FindType="FindBySubjectName"
findValue="Jinnan-PC" />
</serviceCredentials>
</behavior>
</serviceBehaviors>
</behaviors>
three: message protection [P366]
message protection level (System.Net.Security.ProtectionLevel):
1: None: do not take any measures to protect the confidentiality of the message consistency and
2: Sign: Through the entire message or a portion of the message is digitally signed to ensure the consistency of the message
3: EncryptAndSing: Through the entire message or a portion of simultaneous A name and encrypted to ensure consistency and confidentiality of messages
Definition: Can be set contractually
[ServiceContract]
public interface ICalculator
{
[OperationContract(ProtectionLevel=ProtectionLevel.EncryptAndSign)]
double Add(double x, double y);
}
can also be configured in the host:
<configuration>
<system.serviceModel>
<bindings>
<ws2007HttpBinding>
<binding name="bindingWithNoneSecurityMode">
<security mode="None">
</binding>
</ws2007HttpBinding>
</bindings>
<services>
<service name="Artech.WcfServices.Service.CalculatorService">
<endpoint binding="ws2007HttpBinding"
bindingConfiguration="bindingWithNoneSecurityMode"
contract="Artech.WcfServices.Service.Interface.ICalculator" />
</service>
</services>
</system.serviceModel>
</configuration>
particular attention: When the two are set to the attention of [P371]
four: Secure Session [P380]
For NetTcpBinding because of their connection-based (connection can be seen as a communication session between the two sides) characteristics of the session due to some security mechanism is always open;
WSDualHttpBinding through the session mechanism to maintain the relationship between the two HTTP channels, security session mechanism population is opened;
WSHttpBinding and WS2007HttpBinding to show the opening and closing of a secure session;
<configuration>
<system.serviceModel>
<bindings>
<ws2007HttpBinding>
<binding name="disableSecureSessions">
<security>
<message establishSecurityContext="false" />
</security>
</binding>
</ws2007HttpBinding>
</bindings>
<services>
<service name="Artech.WcfServices.Service.CalculatorService">
<endpoint binding="ws2007HttpBinding"
bindingConfiguration="disableSecureSessions"
contract="Artech.WcfServices.Service.Interface.ICalculator" />
</service>
</services>
</system.serviceModel>
</configuration>
没有评论:
发表评论