I used to deal with web services and we secured it using the credential header with soap. The calling application would need to pass a username and password in the credential header. We are now looking at using a WCF restful based webservice and want to secure it. Wondering what the best way to secure it is?
I was thinking that I could stuff a username and password in the POST variables (this thats what they are called). But is this the proper way to secure a restful web service?
This link describes how to use WCF with WS-Security.
This link describes what WS-Security is.
This link describes the architecture of the WCF security component.
Not sure if you can combine those with REST but know that HTTP has an authentication mechanisms of it's own (See Basic authentication and Digset authentication and this overview about both).
The RESTful way to do it imo would be using the HTTP authentication.
I think you have some research to be done :)
Related
I need to authenticate APP "A" according to APP "B" authorizations, using an existent and available login method. Just checking username and password, no token, no certificate. Basic auth.
I do not control any of that app, so I manage to create a web service to intermediate communications.
I am quite new to this, so I have starting reading about it. I have ended up some simple examples using WCF to perform it. I'm using c#.
Should I do it using WCF? What should be (conceptually) my approach?
You can do anything you want from a WCF service, as long as you keep the constraints of running as a Windows Service (either directly or through IIS) in mind.
So yes, you can just use HttpClient or RestSharp to talk to the REST API from your WCF code.
I'm developing WCF Rest JSON service for Android and IOS Mobile apps. I need to provide some security to this..I gone through many Articles but most of them using Certificates.. Could anyone suggest which is the best and built in way to secure the service..
I would recommend the use of OAuth (Since you are on multiple mobile platforms).
It does not use user/password authentication, you instead include OAuth inside the HTTP header.
Here is documentation and sample implementations;
http://blogs.msdn.com/b/odatateam/archive/2011/01/20/oauth-2-0-and-odata-protecting-an-odata-service-using-oauth-2-0.aspx
http://www.codeproject.com/Tips/372422/Secure-WCF-RESTful-service-using-OAUTH
http://www.codeproject.com/Tips/817102/Consuming-OAUTH-Enabled-Restful-WCF-Service-using
My scenario is that I have to expose some API over WCF to third party clients. I wanna use the most secure option. Ideal solution would be making a windows account for each client in my server active directory and letting them access the service with Transport & Message security and Client credentials username. So I could ask the client to provide username and password and use windows group policy to role base authorization.
Since this is an internet facing WCF service, I'm not sure I could use windows accounts??? Should I be using database solution to manage usernames, pwd and roles?
Should be able to consume from .NET clients as well as Java clients. Third party clients could be anything that can consume soap.
What's the best security option to this scenario? VPN is not an option as this totally should go over internet. Your help is very much appreciated.
It sounds like what you need is some kind of a token based authentication setup. Microsoft seems to publish the best material in the game for this kind of thing. You can find their articles here and pick the scenario of security that most closely matches your needs:
Microsoft WCF Security
you can use ASP.net membership with form authentication for your service.
using windows authentication for internet facing service is not a good idea.
for more information:
How to: Enable the WCF Authentication Service
Windows Communication Foundation Authentication Service Overview
Securing WCF with Forms Authentication
I'm setting up a WCF service. The service has to use transport security over https and I need to use some kind of authentication to prevent unwanted usage.
Digging in to WCF theory has disapointed me so far.
What I have found out so far is that I can use UserName authentication with transport security. But then I will need a certificate to secure the message.
And this makes it difficult to consume with most .NET languages.
I am surprised that I cannot find any good information on how to authenticate a user with wcf without message security?
What I would like is that the client passes username and password in some way to my service.
And for the record. The service will be using transport security.
To break it down:
How can I implement authentication without limiting interoperability?
Is WCF services so cumbersome that I either have to use a completely open service. And use IP filtering or VPN to restrict access?
UPDATE:
Since I am planing to use https with a SSL sertificate, will security mode "TransportWithMessageCredential" be the solution for me?
The only way to get REAL security IS to use digital certificates.
See my own question on this topic for details.
TransportWithMessageCredential (AKA mixed-mode security) is indeed what you are looking for.
I'm looking for a way to secure my WCF service using http and simple username-password authentication, without using certificates.
The service is consumed by an Android device so I can't use the .NET Proxy generated classes.
I've read about basic HTTP authentication but haven't found an easy way to implement this method.
Have you tried using the MSDN custom Username/Password validator for WCF? It relies on the serviceCredentials configuration and implementing a UsernamePasswordValidator.
I've found ASP.NET Web API, seems like a better solution for REST-based Services than WCF.