Implementing WCF Security
Security is one of the fundamental features of any software platform. In fact, security requirements have grown exponentially in the past decade because of the increasing popularity of public networks. Securing a distributed enterprise (one that is physically scattered around the world) using a public network such as the Internet is a challenging task. Malicious hackers, identity fraudsters, and disgruntled employees cost organizations millions of dollars every year. So, how do you address these issues as a senior stakeholder of a company? What does WCF offer in the security space to combat these issues?
You can secure your enterprise in many ways. Initially, you need to secure an organization at the physical level. You need to ensure your server farms are behind locked doors and are carefully monitored for access. You should restrict the access to all resources as much as possible. One emerging option is to outsource server farms to reputable third parties, which set up stringent measures to limit physical access to server farms. These outsourced hardware facilities have strict access controls to prevent any unauthorized access to the servers. They are in most cases built underground and without any windows or external access points. When you are comfortable with the level of security with your hardware devices by using services such as these, you can turn your attention to software practices.
You can address security requirements for applications in many aspects of software development. Some of these aspects are the platform, the data, the hosts, and the communications between clients and services. In this chapter, we will discuss only platform-level security. Our main focus will be to show the mechanisms available to protect your messages between services and clients.
WCF is a distributed application platform based on SOAP. Basically, WCF addresses the communication between multiple nodes and multiple applications, and you utilize SOAP to achieve the communication in WCF. Bindings in WCF (that is, HTTP, TCP, MSMQ, and so on) provide you with different options to optimize SOAP messages depending on your business requirements. In this chapter, we will address messages traveling from one node to another through intermediaries (with firewalls) and messages traveling on public networks (the Internet). These scenarios introduce many security threats. We will discuss these threats in the next section. In a nutshell, this chapter discusses the following items to illustrate the WCF security concepts:
Why do you need to be concerned about security in SOAP messages?
What are the WCF security features that address these issues?
Credentials and claims
Transport-level security
Message-level security
Mixed mode (transport level and message level)
The federated security model in WCF
Authorization
Auditing
Windows CardSpace (formally known as Infocard)
You'll start your journey by learning why you need to address WCF security. What are the business drivers behind addressing security on the latest Microsoft platform offerings? What value does WCF add to solve the security concerns of a CTO or CIO? The next section will answer these questions.