tecnologias de distribuição e integraçãoapm/tdin/docs/11security.pdf · service identification...

Distribution and Integration

Technologies

Services Security

APM@FEUP WCF Security 2

WCF security aspects

Information communication (transfer) security

Aspects

• Privacy (or confidentiality) – Encryption

• Integrity – Hash and signature

Levels

• Transport – Use of a secure communications protocol

Can be HTTPS, TCP, Pipe or MSMQ. Guarantees point to point security if

there are no intermediaries

• Message – Security applied to message contents only. Independent

from transport protocol. Can present less performance than using

transport.

Authentication User identification from client. Service identification from host.

Authorization Execution permission based on user identity or on roles associated to

users


Privacy and integritymessage private

key

private

key

public

key

public

key

hash

encoding using

own

private key encoding using

service

public key

decoding using

own

private key

encoded

hash

decoding using

client

public key

hashhash

valid message

if the same

calculation

calculation

asymmetric key

security


Information transfer

The transfer security is configured with each Binding

Many Bindings have some sort of security already configured by

default

Not everyone support every type of security

Some authentication information can be added to the message

Name None Transport Message

BasicHttpBinding Yes (default) Yes Yes

NetTcpBinding Yes Yes (default) Yes

NetNamedPipeBinding Yes Yes (default) No

WSHttpBinding Yes Yes Yes (default)

WSDualHttpBinding Yes No Yes (default)

NetMsmqBinding Yes Yes (default) Yes


Transfer and client credentials (1)

Each Binding and transfer security level allows only

certain types of client credentials

With transport level security

Name None Windows Username Certificate

BasicHttpBinding Yes (default) Yes Yes Yes

NetTcpBinding Yes Yes (default)* No Yes

NetNamedPipeBinding No Yes (default)* No No

WSHttpBinding Yes Yes (default) Yes Yes

WSDualHttpBinding N/A N/A N/A N/A

NetMsmqBinding Yes Yes (default)* No Yes

* Allows the generation of encryption keys without a certificate


Transfer and client credentials (2)

Each Binding and transfer security level allows only

certain types of client credentials

With message level security

Name None Windows Username Certificate Issued token

BasicHttpBinding No No No Yes No

NetTcpBinding Yes Yes (default)* Yes Yes Yes

NetNamedPipeBinding N/A N/A N/A N/A N/A

WSHttpBinding Yes Yes (default) Yes Yes Yes

WSDualHttpBinding Yes Yes (default) Yes Yes Yes

NetMsmqBinding Yes Yes (default)* Yes Yes Yes

* Allows the generation of encryption keys without a certificate


Tcp with message level security

Can be used without certificates with Windows

authentication

Just needs to configure the Binding transfer parameters

<bindings>

<netTcpBinding>

<binding name="CalcServiceTcpBinding">

<security mode="Message">

<message clientCredentialType="Windows" />

</security>

</binding>

</netTcpBinding>

…

<services>

<service ….

<endpoint binding="netTcpBinding"

bindingConfiguration="CalcServiceTcpBinding" …


Using the Service Configuration Editor

1. Create a binding

compatible with the

endpoint

2. Give the binding a name

3. Configure security in the

appropriate pannel

4. Associate the binding to

the endpoint (in the

endpoint proprieties)

selecting the same name

chosen in step 2.


HTTP with encryption (SSL)

We need to install a certificate signed by a ‘certification

authority’

Configure the Binding (HTTP) for the required transfer

and authentication security

The certificate should have the same name as the server

The address should use the protocol https://...

The http driver installed in the operating system should

use the certificate in the wanted IP address and port

Windows has command line tools for this configuration

• httpcfg.exe in WindowsXP

• netsh in Windows Vista or later

• There are also graphical tools available


Host configuration


Client configuração


Authorization (windows users & groups)

It is possible to configure conditions for the execution of

the operations in a service

Limit the allowed users

Allowing users in roles (by default roles are translated into

Windows groups)

Using the [PrincipalPermission] attribute applied to the

operation implementation

[PrincipalPermission(SecurityAction.Demand, Name=“machine\\user”)]

public double SqRoot(double val) {

…

}

[PrincipalPermission(SecurityAction.Demand, Role=“ServiceUsers”)]

public double Add(double val1, double val2) {

…

}

Custom authentication (for username)

We can define in the host a validation class to

authenticate clients based on username and password

This class is indicated in a service behavior


We have next to implement

a class in an assembly

available to the host (can be

the host assembly)

That class must derive from

the abstract class

UserNamePasswordValidator

and implement the

Validate method

The custom validation class


public class UserValidator : UserNamePasswordValidator {

public override void Validate(string userName, string password) {if (null == userName || null == password)

throw new FaultException("Username or password not specified.");

if (!(userName == "Any" && password == "Some") &&!(userName == "TheOne" && password == "Other"))throw new FaultException("Unknown username or password.");

}}

A small example of a custom validation class

Note: user names and passwords should never be directly coded in the class.

Some more elaborate scheme using databases, encryption or hashes should

be used instead.

Java EE security


Security realm

- File

- Database

- LDAP

- Certificate

- Custom

Application Server

App Client Container

Application

EJB Container

Web Container

EJBs

WSs

Web App

WSs

Browser

-Users

-Groups

AUTHENTICATION

AUTHORIZATION

Authtentication process


Authorization


Beans and methods can have authorization roles associated

- Annotations

- Users and Groups must be mapped to roles

tecnologias de distribuição e integraçãoapm/tdin/docs/11security.pdf · service identification...

Documents