Wcf And Ws-Security
Author
Chris Seary is a security specialist and MVP at IT and management consultancy, Charteris plc. He has worked with many different Microsoft technologies, and for the last few years has specialised in the security aspects of enterprise-level .NET systems.
Technology
.Net Framework 3.0
Visual Studio 2.0
Summary
WindowsCommunication Foundation is the new Microsoft technology for communicating between distributed services. This article will focus on communication protected by WS-Security.
Introduction - What is WS-Security?
Microsoft, IBM and a number of other vendors and organisations have created standards for protection of communications at the message level. These standards cover many aspects of security,including digital signatures, authentication and encryption of SOAP messages. The generic name for the standards is WS-*, and includes WS-Security, WS-Trust and WS-SecureConversation.
Windows Communication Foundation
There are three aspects of a service created with the Windows Communication Foundation - Address, Binding and Contract. Address is the URI of the service, Binding is the method ofcommunication, and contract is the definition of the service methods.
Creating the service
The physical implementation of a contract is an interface. Here’s the interface for our service, called IMyService:
[ServiceContract]
public interface IMyService
{
[OperationContract]
string GetData(string val);
}
The interface has one method, which is GetData(string val). The ServiceContract attribute is added to the interface definition, and the OperationContract attribute is added to the method.
Our service will implement this interface:
namespace MyServiceHost
{
[ServiceContract]
public interface IMyService
{
[OperationContract]
string GetData(string val);
}
public class MyService :IMyService
{
string IMyService.GetData(string val)
{
string s = System.ServiceModel.ServiceSecurityContext
.Current.PrimaryIdentity.Name;
return "You sent the text:" + val +
Environment.NewLine + s;
}
}
}
This is a very simple service, which simply returns the parameter passed and the identity of theuser who is authenticated with the credentials supplied.
This service is hosted in a Windows Forms application. A reference to System.ServiceModel is required.
The Load event instantiates the service:
private void ServiceForm_Load(object sender, EventArgs e)
{
try
{
sh = new System.ServiceModel.ServiceHost(typeof(MyService));sh.Open();
}
catch (Exception ex)
{
MessageBox.Show(ex.ToString());
}
}
Next we must publish the web service, so that clients can call it. The application configuration file for the Windows application needs a section added for ServiceModel related configuration:The element applies to the class specified in the name attribute, which is loaded in the Load event in the preceding example. Endpoints are added using the element, with the address for the service configured using the address attribute. Here, the address is shown as Http://localhost:9091/DataService. This is the uri that must be used when calling theservice. The binding is the way that communication will take place – in this case the wsHttpBinding, which allows us to use WS-Security. The contract attribute refers to the interface we defined earlier.
The second endpoint, http://localhost:9091/DataService/mex, has a different binding type, mexHttpBinding. This endpoint is configured to publish metadata so a client can generate a proxy for...
Regístrate para leer el documento completo.