Wcf4.0 advanced series-Chapter 5 Protection of WCF services over the Internet

【Abstract]

Implement internal enterpriseWCFServices and clientsProgramSecurity requires considerable effort,WCFProvides binding and behavior to simplify communication protection. Use. Net framework4.0The authentication and authorization provided can ensure the confidentiality of message transmission between the service and the client, and ensure that only authorized users can submit requests to the service. The internal network environment of an enterprise is relatively stable compared with the Internet due to internal confidentiality. Although there are also hacker intrusions, this is only an occasional phenomenon. As long as the system administrator and network administrator maintain the security of the Enterprise infrastructure, you can trust the client programs and services. Message encryption, user authentication, and user authorization can be easily deployed within the enterprise.

However, when the client program andWCFWhen a service spans a public network (such as the Internet), you cannot assume that the client program,WCFServices and communication between the two can be trusted. For example, how does a client program verify whether the server that sends the message is a real server, rather than a fake server that replaces the real service;
Whether the impersonating server decrypts and records the message before the message is sent to the real service, or how the service distinguishes whether the user running the client is the identity he claims; and how the Service determines whether the request comes from an authorized client, not from a client disguised by hackers.

The Internet is a potentially dangerous environment, so you must highly doubt all information transmitted over the Internet. In this chapter, you will learn how to use some technologies to protect client programs,WCFService and Information transmitted between the two.

[Body]

Verify client users and services over the Internet

The maintenance of Valid users and user creden。 that can access the service requires different forms of databases. In Windows, the Active Directory provides such a database. The WCF Service can use Windows integrated authentication to authenticate client users in the same domain. If the client program connects to the service through a public network, the above method will no longer apply. Because the client program may not run in the same security domain as the service. In this case, you can maintain the list of users allowed to access the service in other ways. For example, you can use ASP. NET member programs and ASP. NET role programs. In addition, you can use the authorization storage role Program (authorization store role provider) to save users and roles in the XML file. In the exercises in this chapter, you will use ASP. NET member programs and ASP. NET role programs.

Use ASP. NET member programs and ASP. NET role programs to authenticate and authorize users

To access WCF over the internet, you will use IIS to host the WCF Service. In this way, you can use the ASP. NET web site management tool to easily create a SQL database for the WCF Service that manages users and roles for the service. Then, you can configure the WCF Service to use ASP. NET member programs to authenticate users, use ASP. NET role programs to obtain role information and authorize users. This is the exercise you want to perform.

In addition, when you publish services over the Internet, you should use SSL to protect communication. Therefore, the first task is to configure IIS to support SSL by adding a certificate. This certificate can verify the information between the service, the encryption service, and the client. Then, bind the certificate to the website hosting the WCF Service.

Configure IIS binding to support SSL

1. Run the IIS console as an administrator.

2. on the IIS console, click the node where your computing is located in the connection panel.

3. In the middle panel, click the "Features" tab.

4. On the features panel, double-click "service certificate ".

After double-clicking, the service certificate panel appears, which lists all certificates that can be used to configure IIS for SSL. You can see the previous wcfhttps certificate we created in Chapter 4. I marked it with a red box. For the purpose of this chapter, we will create another certificate. It is not recommended to use the same certificate on different websites.

5. On the "operations" Panel, click "create self-signed certificate ". The "create self-signed certificate" dialog box appears. This wizard is similar to Chapter 4 using the makecert command in Visual Studio command line, a certificate is created. Like the warning in chapter 4, it prompts you not to use a self-signed certificate in the product environment. If you need a commercial certificate, you should click the "Create certificate request" link in the "operations" Panel to create a certificate request to identify your enterprise, and then send it to the certificate provider, for example, the Active Directory Certificate Service or a trusted third-party organization sends a request to generate the certificate.

6. In the "create self-signed certificate" dialog box, enter the Certificate Name and click "OK.

The certificate is automatically generated and added to the service certificate panel, as shown in

7. In the left-side pane of the IIS console, expand your computer name, right-click the default site, and select "Edit binding ":

The "Edit site binding" dialog box appears. This dialog box lists the protocols supported by IIS and was on the site.

8. In the "Edit site binding" dialog box, if HTTPS is not configured yet, click "add", select https, and select the certificate you just created. Click "OK.

9. Close the "Edit site binding" dialog box and exit the IIS console.

Create an internetproductsservcie site

1. Under the folder in chapter 5 (... \ step. By. Step \ Chapter5), add an empty folder named internetproductsservcie.

2. start the IIS console and create a web application named "internetproductsservcie". The application pool uses ASP. net v4.0, path pointing... \ step. by. step \ Chapter5 \ internetproductsservice.

3. On the IIS console, select internetproductsservcie, and then double-click SSL settings under the "feature View" tab of the intermediate panel.

4. On the SSL settings panel, select the "require SSL" signature check box and click "Apply"

4. confirm that the site authentication method allows anonymous access

5. Keep the IIS console open.

Create an internetproductsservice Solution

1. Start Visual Studio, create a new site, set the type to WCF Service, select HTTP for the web location, and set the path to https: // localhost/internetproductsservice;

2. After creating a WCF site, delete the iservice. CS, servcie. CS, and servcie. SVC files;

3. Right-click the project to add an existing project. In chapter 4, add iproductsservcie. CS and productsservice. CS to the project.

4. Select internetproductsservice; reference productsentitymodel. dll

5. Because the client uses the users created in the ASP. NET member program to access internetproductsservcie, You need to modify the productsservice. CS file.

7. Compile internetproductsservice and confirm there are no warnings or errors.

Activate the service internetproductsservcie and bind the configuration

1. Start Visual Studio and open the site internetproductsservice.

2. Use the WCF configuration management tool to open web. config

3. Activate the Service as follows. Expand the "advanced" folder, expand "host environment", select "Service Activation", and click "add" in the right pane. In the "Service Activation Editor" window, set "relative address" to "service. SVC "; the input service is products. productsservice. (If a message dialog box appears, click "OK" to continue );

4. In the WCF configuration management tool, click the "service" folder and then click "Create a new service ". Enter "products. productsservcie" as the service type, and click Next. When a warning is displayed, click "OK" to continue;

Click "Next", enter the service contract "products. iproductsservice", select "HTTP", and click "Next ".

Select "advanced Web Service interoperability" and click Next;

Enter "https: // localhost/internetproductsservcie/service. SVC" and click Next;

After confirming that the service is correct, click "finish" to create the service.

5. Create a binding named "productsservicews2007httpbindingconfig", which uses the ws2007httpbinding protocol;

6. After creating the binding, select the binding and click the "Security" label on the right panel. Then, make the following settings:

Because IIS uses httpsWCFRequiredConfigure to support Transmission Security.In transportwithmessagecredential mode, https is used at the transmission level to protect message transmission. The service certificate is used to verify the client. Message security is used to verify user creden. The username and password are transmitted as user creden to the service..

7. In the WCF configuration management tool, select a service endpoint and set it to use productsservicews2007httpbindingconfig to bind the configuration.

8. In the WCF configuration management tool, select "advanced"-"service behavior"-"unnamed"-"service metadata", set httpgetenabled to false, and httpsgetenabled to true.

9. Save the settings and exit the WCF configuration management tool.

10. In Visual Studio, open web. config; find the <servicehostingenvironment> element and set the value of the multiplesitebindingsenabled attribute to false.

11. Save web. config.

12. Enter https: // localhost/internetproductsservice/service. SVC in the browser to test the website. You will get the following results:

13. Close IE browser

So far, you have deployed, configured, and tested the IIS-hosted WCF Service internetproductsservice. Now, you can start to use ASP. Net management tools to define users and roles that are allowed to access the WCF. To simplify the process, you will create the same roles (warehousestaff and stockcontrollers) and users (Fred and Bert) as Chapter 4 ).

Define users and roles for the WCF Service internetproductsservcie

1. in Visual Studio, select the internetproductsservice site, and then select ASP. net configuration; ASP. net Site Management Tool website: (Note that before using this step, make sure that your computer has been bound to SQL Server and Asp has been registered using aspnet_regsql. net role program and ASP. net member program. The essence of registration is to create a corresponding table in the database and add a connection string to the database in IIS. In this way, when you start the ASP. NET site management tool, the tool will know how to connect to the database, and add users, roles, and information about the site you configured)

2. Click the "Security" tab and the site will switch to the "Security page ". On this page, you can manage users, specify the authentication mechanism used by the site, define user roles, and specify Website access rules.

3. Click "select verification type" and select "from the Internet". Click "done" to return to the "Security page"

4. after you return to the security page, you can find that the existing user is 0. Click "create user" to create user BERT with the password pa $ w0rd; other options can be entered at will.

5. Repeat Step 4 to create user Fred;

6. Return to the Security page and check that the current number of users is 2;

7. In the role area of the page, click the "Activate role" link;

8. Click the "Create or Manage Roles" link, and enter warehousestaff.

9. After creating the warehousestaff role, click "manage" to connect

10. On the Select User Interface, add Albert and Fred to the role warehousestaff.

11. Create a role stockcontrollers

12. Add User Fred to the stockcontrollers role

13. disable the ASP. NET site management tool.

Configure the WCF Service to use ASP. NET role programs and ASP. NET member programs

1. in Visual Studio, use the WCF Service Configuration tool to open the Web. config of internetproductsservcie;

2. in the configuration panel, expand "advanced"-"server behavior"-"Unnamed behavior"; then click "add" on the right panel. In the displayed dialog box, select "serviceauthorization" and click "OK.

3. Expand "Unnamed service behavior" and select "serviceauthorization ". In the right pane, set the principalpermissionmode attribute to useraspnetroles, And the roleprovidername attribute to aspnetsqlroleprovider.

4. Select "untitled service behavior" again, right-click it, select "create new service behavior element extension", select servicecredentials, and click "add.

5. Select "servicecredentials" and set the value of the membershipprovidername attribute to aspnetsqlmembershipprovider on the right panel. Set the value of the usernamepasswordvalidationmode attribute to membershipprovider.

6. Save the configuration file

7. Exit the WCF Service Configuration tool.

Modify the WCF client program to connect to internetproductsservcie

1. Copy the productsclient in chapter 4 to the Chapter 5 folder, and add the project to the internetproductsservice solution.

2. Use the WCF Service Configuration tool to open the app. config of the productsclient project.

3. Select "bind" in the left-side Navigation Pane, right-click it, and select "create new BIND configuration". In the displayed dialog box, select ws2007httpbinding, and click "OK.

4. Set the binding name to "productsclientws2007httpbindingconfig"

5. Switch to the "Security" label and set the mode to "transportwithmessagecredential"; the value of the messageclientcredentialtype attribute is username; the value of transportclientcredentialtype is none.

6. in the WCF Service Configuration tool, select "ws2007httpbinding_iproductsservcie" and set the endpoint address to https: // localhost/internetproductsservcie/servcie. SVC, and set the value of the binding configuration property to "productsclientws2007httpbindingconfig"

7. Save the settings and exit the WCF Service Configuration tool.

8. Configure productsclient to use the corresponding certificate and Endpoint

9. Add client user creden

Test the WCF Service

1. Run productsclient and you will get the following results:

2. Modify client user creden。 to connect to internetproductsservice using Fred. You will get the following results:

3. We can see from the above that Fred can perform the changestocklevel operation, while Albert cannot. This is because Fred not only belongs to the warehousestaff group, but also to the stcokcontroller group. Albert only belongs to the warehousestaff group. This is because we have defined on the service that only the stockcontroller group can perform the changestocklevel operation.

4. launched the productsclient Program

Note: pay attention to the following points during this exercise:

1. After creating a self-signed certificate, if you use https: // localhost/internetproductsservcie/servie. SVC for access, ie will display the following warning information:

This is because the self-signed certificate is officially generated for your computer name. Therefore, you should use https: // yourcomputername/internetproductsservcie/servcie. SVC to access your service. The following result is displayed:

2. the endpoint address can be empty or relative.

What happens if the endpoint address is also a relative address? Shows the soap address in the WSDL:

3. When configuring the SSL Certificate of the service, you can use guid to find the certificate to avoid duplicate names.

4. Configure ASP. NET member programs and role programs. Refer to msdn:

• How to: Use the ASP. NET membership provider http://msdn.microsoft.com/en-us/library/ms731049.aspx
• How to: Use the ASP. NET role provider with a service http://msdn.microsoft.com/en-us/library/aa702542.aspx

Use Certificates to authenticate and authorize users

The user name and password are used to verify the security of the user in a certain program, but you will soon be aware of the shortcomings of this implementation method. It easily exposes the user password to other users. The passwords entered by many people are either very short or easy to guess (such as 1234, ABCD, and password) to make the passwords easy to remember ). The appeal password is not as secure as the name of your mother servant. However, it is not suitable for Internet environments. This is why the bank does not use the user name and password to identify your identity when you connect to the bank over the Internet.

The use of public key system (PKI) can help overcome the shortcomings of passwords. PKI provides message encryption and message verification functions.

PKI is based on a pair of keys (one key is a long string of random numbers): one is the public key used to encrypt messages, and the other is the private key used to decrypt messages. These keys must be unique. If you want to communicate with a third-party component, you can send a public key to it. The third party uses the public key to encrypt the message, and then delivers the encrypted message to you. You use your private key to decrypt these encrypted messages.

This theory holds that only your private key can decrypt messages encrypted using your public key. Because it does not care whether someone can crack your message, because outsiders cannot read the message (without a private key ). In fact, even if there is no private key, encrypted messages can be cracked. Of course, this takes a considerable amount of effort. The longer the length of the private key, the more effort it consumes.

The public key and private key can also work in another way. You use the private key to encrypt a message. Others use the public key to decrypt the message. This does not seem useful, but it provides a convenient mechanism to verify the message source. If a third party receives an encrypted message that you claimed to have sent, but the third party cannot use the public key you provided to decrypt the message; this means that the encrypted message received by a third party is actually sent by someone else impersonating you. At this time, the third party should discard the message.

So where do you get the key? You can apply for a pair of key certificates from the Certificate Authority (CA. CA performs various checks to ensure that the certificate owner is the real master of the certificate. If you pass the check, the CA will issue you a certificate containing the public key and private key. This certificate also contains some identity information about the certificate holder and Ca itself.

Assume that the digital certificate holder a has sent digital information to the holder. In order to ensure the authenticity, integrity and non-repudiation of the information transmitted, the information to be transmitted must be encrypted and digitally signed, the transfer process is as follows:

• A shall transfer the correct digital information (plaintext)
• A. Hash the numeric information to obtain an information abstract.
• A encrypts the abstract with its own private key to obtain the digital signature of a and attaches it to the digital information.
• A randomly calculates a secret key des and uses this key to encrypt the information to be sent to form a ciphertext.
• Party A encrypts the encrypted des key with the public key of Party B, and transmits the encrypted des key together with the ciphertext to Party B.
• Party B receives the ciphertext sent by Party A and the encrypted des key. It decrypts the encrypted des key with its own private key to obtain the des key.
• B then uses the des secret key to decrypt the received ciphertext and obtain the information abstract.
• B uses the same hashAlgorithmRe-hash the received plaintext to obtain a new information digest.
• B compares the received information Abstract With the newly generated information abstract. if it persists, it indicates that the received information has not been modified.

For more information about PKI, see http://technet.microsoft.com/en-us/library/cc751024.aspx

The service can use a certificate to allow the client to verify the service, to reduce the risk of connecting a customer point to a fake service. You should obtain a certificate from a Certificate Authority that deserves the trust of you and the participants to identify yourself and encrypt your communication. Do not publish your private key to the outside world.

In the following exercise, you will see how to use a certificate to sign a message and verify the user.

Modify the WCF Service so that it requires client programs to use certificates to authenticate users.

1. Use Visual Studio to open the internetproductsserviceusercert solution; then use WF configuration management tool to open web. config;

2. Expand the binding, select productsservicews2007httpbindingconfig, switch to the "Security" label, and set messageclientcredentialtype to certificate. Now, the WCF Service requires the client program to provide a certificate to verify the user. The negotiateservicecredential attribute specifies how the client sends a certificate to the service. If the value of this attribute is true, the WCF Service expects the client program to send the certificate together with the message (in fact, when the client and the WCF Service exchange the certificate, will trigger a series of initialization messages ). If the value is changed to false, the WCF Service administrator must manually install the client certificate to the "trusted person" Certificate storage location on the computer on which the service is running.

Set this value to false. In subsequent exercises, you will manually install the client certificate

3. In the left-side pane of the configuration management tool, expand "advanced"-"Untitled"-"service certificate"-"client certificate"; set the attribute "certificatevalidationmode" to "perttrust"

Client certificates can be verified in the following ways:

By default, when the certificate is verified, the service searches for the certificate from the certificate storage location localmachine. If you use IIS to host the WCF Service, this method is very effective. If you create a program from the hosted WCF Service and the program runs as a specific identity, you can configure the WCF to search for the certificate at the certificate storage location currentuser.

Revocationmode is used to specify the mode for the X509 Certificate Revocation check. It contains the following values:

6. Save the settings and launch the WCF configuration management tool.

Configure the client for the WCF Service to use the client certificate to verify the client

1. Use the WCF Configuration tool to open the app. config of productsclinet

2. In the configuration panel, expand binding and select productsclientws2007httpbindingconfig. then switch to the "Security" tab on the right panel. Set the value of the messageclientcredentialtype attribute to certificate, and set negotiateservciecredential to false.

3. Save the settings and exit the WCF configuration management tool.

Create a certificate to identify and test users using a total of WCF services

1. Run Visual Studio command prompt as an administrator

2. Run the following two commands to create certificates with the subject as Bert and Fred respectively.

The two certificates you created will be stored in the personal certificate under the certificate storage location currentuser. The WCF Service requires the Administrator to install copies of these two certificates to the certificate storage location truested people on the computer running the WCF Service. In the following exercise, we export copies of the two certificates we just created, and then import the copies of the certificates to the trusted people directory on the local computer.

Export and import certificates

1. in Visual Studio command prompt, execute the following command

The first command above is used to obtain a copy of the Bert certificate from the personal certificate under the current computer certificate storage location currentuser. This copy contains the public key of the original certificate and does not contain the private key of the original certificate. The second command is to import a copy of The BERT certificate to the trusted people place under localmachine where the certificate is stored on the current computer. The third and fourth commands repeat the first two commands, but only operate on the certificate Fred.

2. Exit Visual Studio Command Prompt

3. At start-run, enter certmgr; and you can check whether the certificate copies of Bert and Fred have been imported to the trusted people place under localmachine.

If you click the original certificate, you can find that the difference between the original certificate and the certificate copy is whether the private key is included (the original certificate icon has a key. Original Certificate on the left and certificate copy on the right ).

Update the WCF client to send a certificate to the WCF Service.

1. Open the program. CS file under productsclient in Visual Studio

2. Make the following changes:

3. Generate the project and run productsclient. You will get the following results:

This indicates that the WCF Service hasVerifyThe client (if the verification fails, you will receive an exception that fails the verification). The reason why the access is not authorized is that the role information stored in the SQL database has not been updated yet. User Bert cannot obtain the corresponding authorization.

4. Exit productsclient

Now, you will update the SQL Server database, add user and role definitions, and map them to the users and roles obtained from the client certificate. First, you should understand the identity of the client recognized by the WCF Service when the client uses a certificate to authenticate itself.

Investigate the identity of client users accessing the WCF Service when using client certificates

1. Develop the productsservcie. CS file in the app_code folder of the internetproductssercie project.

2. comment out the principalpermission and listproducts contents of listproducts, and then add the following new statements:

3. Generate a project and run productsclient. You will get the following results:

The client identity verified by the WCF Service consists of the Subject name and the thumbprint value of the certificate. The value of thumbprint is the unique identifier of the certificate. This value will be saved to the SQL Server database and used by ASP. NET role programs.

4. Exit productsclient.

Update user information in the SQL Server database

1. in Visual Studio, select internetproductsservcie and select site-Asp. Net site configuration tool from the menu of Visual Studio.

2. In the ASP. Net Site Configuration tool, click the "Security" tab to switch to the "Security page"

3. Click create user connection to go to the User Creation page;

Enter"CN = Bert; 64347fcaa%93f01739c82d8280c39153b5559b", The subsequent string is the thumbprint value of the certificate (spaces have been removed); restructuring is the identity of the client when the certificate was used in the above experiment results. Then confirm that the role warehouststaff is selected;

Click "create user" to create the user.

4. Run productsclient again and you will get the following results:

5. Add the user Fred and add the roles stockcontrollers and warehousestaff;

6. modify program. CS to use the certificate Fred to access internetproductsservice. the following result is displayed:

Messages using the certificate verification service

When the Service uses the HTTPS protocol, it ensures the confidentiality of the communication between the client and the server. The Service sends a certificate to the client, which contains a public key for encrypted communication. The client verifies whether the certificate sent by the server comes from the CA. However, https is mainly used to ensure the confidentiality of communication.Verification (Transfer-level verification) for the purpose of verifying the establishment of an SSL conversation is different from message-level authentication, which can verify the identity of the message sender. Client programs generally assume that they send messages to a specific and trusted service. But is this assumption true? The client may actually exchange messages with a fake service in a safe way, because hackers can intrude into the DNS server and forward messages sent to the real service to any other place. To avoid this situation, you need to use two-way authentication to Implement Message security to replace Transmission Security.

The verification service is similar to the service verification client. The Service uses the private key to sign a message and send it to the client. The client obtains the public key in the copy of the server certificate from its own certificate storage location, and then uses this public key to decrypt the message and verify the signature of the service. If the message fails to be decrypted, the Service signature cannot be identified. Therefore, the client rejects the message sent by the Service. In the same way as message security in chapter 4, all communications between services and clients are encrypted.

In the following exercise, you will create another ASP.. Net site hosts the WCF Service. Then, you will configure the Service to use message security so that the client can verify the messages sent by the WCF Service.

Create an ASP. Net site that will implement message Security

1. Open the IIS Console

2. Create a New mutualauthenticationproductsservcie site that uses the ASP. NET v4.0 application pool and points to the corresponding folder.

Configure the WCF Service to use the localhost certificate to verify itself

1. Run Visual Studio command prompt with the Administrator settings and execute the following command

Create a certificate named localhost and store it in the personal place under localmachine. The subjet name must match the host name in the URL used by the client to connect to the service.

If you use IIS to host the WCF Service, you must confirm that the NetworkService account has the permission to read the certificate. If you use other programs to provide self-Hosted Services, skip the following steps:

2. Go to the WCF \ step. By. Step \ chpater5 directory and run the following command:

The findprivatekey tool displays the private key information of the certificate we created in step 1. Findprivatekey is a tool provided by WCF samples. You can download it from the Microsoft website. The file displayed in the preceding command result is the file for which we want to add permissions to NetworkService. For more information about findprivetekey, see http://msdn.microsoft.com/en-us/library/aa717039.aspx

3. Run the following command to add read permissions to NetworkService:

Note that the prerequisite for executing this command is that the account currently running ASP. NET v4.0 is NetworkService. If it is another user, add read permissions to the corresponding account.

4. Enter "iisreset" to restart IIS

5. Use Visual Studio to open the site mutualauthenticationproductsservcie

6. Use the WCF Service configuration management tool to open web. config

7. Set the security mode to "message"

8. In the WCF configuration management tool, select Advanced-service behavior-unnamed-service certificate. Then, in the right pane, set findvalue to localhost and x509findtype to findbysubjectname.

9. Save the settings and exit the WCF configuration management tool.

Export the WCF Service Certificate and import it to the storage location of the client certificate

1. Run Visual Studio command prompt as an administrator and then execute the following commands:

The above name will get a copy of the localhost certificate. This copy contains the public key of the original certificate and does not contain the private key information.

2. Run the following command to import a copy of the localhost certificate to the currentuser location where the certificate is stored.

Configure the WCF client to verify the WCF Service

1. Use Visual Studio to add the productsclient Program

2. Use the WCF Service configuration management tool to open the productsclient app. config

3. Set the endpoint address to http: // localhost/mutualauthenticationproductsservcie/service. SVC.

4. Modify the Security Mode of productsclientws2007httpbindingconfig to message.

5. Add the endpoint behavior configuration. Expand advanced-endpoint behavior, right-click and select "add endpoint behavior configuration"

6. Set the endpoint configuration name to "authentiationbehavor". Click "add" at the bottom of the right panel to add the clientcredential element.

7. Select authentiationbehavior -- client creden-client certificate. In the right pane, set findvalue to localhost and x509findtype to findbysubjectname.

8. Set the endpoint ws2007httpbinding_iproductsservice to use the created endpoint Behavior

9. Save the settings and exit the WCF configuration management tool.

10. modify program. CS

Confirm the client to verify the WCF Service

1. Run productsclient and you will get the following results:

2. Press enter to exit productsclient

3. Run the following command in Visual Studio command prompt to remove the certificate localhost

4. Run the following command to create a certificate with the same subject name.

5. Enter iisreset to restart IIS

6. If you run productsclient again, you will get the following error:

Because the private key of the certificate localhost used by the WCF Service has changed, the client cannot use the public key in the copy of the localhost certificate to verify the signature of the message sent by the server. This scenario simulates the actual scenario where the WCF Service is replaced by other services.

If you want productsclient to run properly, you need to export a copy of the newly created localhost certificate and delete the copy of the localhost certificate stored in currentuser; then import a new copy of the localhost certificate.

7. Press enter to exit productsclient

Identification Service

The preceding example shows how to configure message security, and authorization takes place on the basis of message-to-message. The Administrator of the WCF Service must send the public key of the certificate used by the WCF Service to the Client Connected to the WCF Service, and configure the client to use the public key to authenticate the service. This mechanism is very secure, but the enhanced security comes at the cost of encryption and signature for all communications. An alternative solution is that you can implement service verification. This method does not require message protection. However, it ensures that the client is connected to the real service in a confidential manner.

When configuring the client endpoint, you can specify the expected service identity in the <identity> element. According to the security settings of the service, this value can be a certificate, the host's DNS name, or RSA, or SPNs, or even an UPN account that specifies the service running. The following example shows how to execute the Service's SPNs.

When the client is running and connected to the service, WCF requires the Service Identity and verifies that the Service Identity is consistent with the identity in the client configuration file; this occurs before the client sends the first message to the service. If the identity matches, the service starts to verify the client. After the client passes the authentication, the client runs and sends messages between the client and the service. If the identities are inconsistent, the service will be treated as a fake service, and the client will not proceed further

[Summary]

In this chapter, you have learned thatWCFServices run in differentWindowsHow to verify and authorize client users under the domain. You also learned how to configureASP. NETMember program usageSQLUser creden stored in the data to verify the user and how to configureASP. NETRole program to specify the role of the user to completeWCFService Authorization. You also understand how clients and services use certificates to verify messages sent and received from each other, and how the two use public and private keys to communicate separately to stay away from potential threats in the network. Finally, you can see how to set the Service identity in the client programWCFDuring running, check whether the service that the client is connected to is a real service.
 

Download the source code of this Chapter