I do host a WCF service on a server which requires the clients to authenticate using a x509 certificate. I need to read this certificate inside the service as the data contained is part of the business logic.
The binding I use for the WCF service is webHttpBinding with security set to "Transport" and clientCredentialType="certificate".
In ASP.net I can use the HttpContext.Current, which however is not available in WCF. What can I do to still get the certificate from the user?
Kind regards,
Alois
The article on http://blogs.msdn.com/b/wenlong/archive/2006/01/23/516041.aspx provided me with the solution to this problem. WCF allows to run in "ASP.net compatibility mode" which brings back the full HttpContext object.
I use this in my WCF service, with ASP.net compatibility disabled:
var x509ClaimSet = OperationContext.Current.ServiceSecurityContext.AuthorizationContext.ClaimSets.FirstOrDefault() as X509CertificateClaimSet;
Related
I am developing a software that, apart from having its own BackEnd, has a module that must be integrated with an external web service. The external web service is as follows: https://e-seida.sunat.gob.pe/ol-ad-itseida-ws/ReceptorService.htm?wsdl
In the project (.NET C#), it can be easily referenced and I can see all the contract and methods that the external web service has exposed. I can do the same thing from the SOAP UI when I test successfully hitting the web service.
As you can see in the image, when you hit the web service, you have communication and a response from the SOAP UI. Now this does not happen in my project because although it is true the web service could be referenced, but until now I am still looking for the way or way to send the security data (UsernameToken) to the web service, honestly it is somewhat frustrating because I've been having this same problem for several days now and I can't give you a solution and researching I have found some possible solutions and none of them have really helped me.
I understand that the Header of this web service contains WS-Security type security, which is basically an open standard approved by OASIS to provide transport layer security (through SSL/TLS from HTTP).
I have also investigated some forums where they indicate that creating the following interfaces/classes (MessageHeader, IClientMessageInspector, IEndpointBehavior) but implementing that does not solve it either.
What can I try to resolve this?
I have a WCF Service setup using BasicHttpBinding, now I need to make a section where I will allow users to upload a file. This needs to be secure, so we are thinking of using SSL for transfer from website to WCF. Does anyone know if I need to create another WCF Service just for the SSL piece or can it all be in one WCF Service, part of it being BasicHTTPBinding and the other part being the SSL piece, as we don't want to use SSL for all calls, just a few related to the file upload.
Otherwise is there anothe way to approach this? Like possibly encrypt the file via some encryption method on the website side and then send it over we could try that if that's recommended, so no SSL just sending the encrypted file to WCF to store on the server.
Thank you.
Yes you need 2 WCF services with seperate contracts, but they can be hosted onn the same site.
Configure the one that you want to use SSL with a binding that has "Transport Security".
I am developing a set of web services using ServiceStack.net. I plan to host these services on Appharbor. I am fairly new to appharbor and cloud hosting in general.
I see that there is an interface within the dashboard to upload my SSL cert. What other configuration do I need to do to AppHarbor and/or my application to get this working properly?
Another note, My Servicestack services will be hosted within an MVC website. I will require all servicestack calls to be made over SSL and have implemented a request filter to check for this and throw a 403 if a non-secure call is attempted.
If you are happy with SNI SSL support, no further configuration should be necessary. Use this gist to determine whether a request is made with an SSL-encrypted connection.
I've got an WP7 application who does authentication with Azure Access Control Service and stores it's SimpleWebToken in an the IsolatedStorage. I want to use this SWT-token to secure my (locally deployed not in AZURE)WCF Service. (The WCF service is finished, except the ACS token validation part) So I've added an Service Reference in my WP7 application and now I want to send the SWT-token to WCF Service via the generated WCF proxy client, but how? Or is this not the way to do it?
Because custom binding & wsHttpBinding isn't supported on WP7(Not sure if mango fixes this) and I don't want to use a WCFDataService. I've come with an nasty solution, I will add a string(the simplewebtoken) to my operationcontract and send it with every client call. I validate this token in the serviceimplentation with the configured securityTokenHandler. This currently works for me!
I am using wcf services for interaction between my javascript files and server side.
I am concerened about security around this as anyone can call these services via an application, firebug etc.
So I want to secure my web services to only be accessible from specified sources, for example the javascript files on my site - ie. the main function why I have wcf services.
I am running on the .net 3.5 framework in a c# web application.
Could anyone assist my securing my wcf services as outlined above?
If this is a combination of javascript and server side , you can probably generate a Key from the server side and store it in the javascript variable and pass again to the WCF webservices.
Kobe's answer of generated request keys is definitely one possible way. Given that your services are running on the same machine as your UI code, another way to limit access would be to set them up as regular services and not Web Services. That is of course assuming you don't need them to be Web Services.
Check out the cool work that the WCF team has done/ is doing with jQuery and WCF.