How does security work?

May 9, 2007 at 12:55 PM
I am a little green on security. How does the security work for the WSSF? I expect my application will use a web client but some parts of it may be accessed via a smart client. The web client uses a user login and password but how do you protect the web service part? Is it the same user/password mechanism or prior to accessing the site do you need a certificate?
May 9, 2007 at 1:18 PM
The WSSF has the WCF Security Guidance Package that has several recipes that implement most of the security patterns for Web Services that are documented in the Web Service Security Guidance. This guide has implementation details for WSE (ASMX) and the package and documentation included in WSSF implement this guidance for WCF (Windows Communication Foundation).
So you have several options to authenticate your web application against your services. On of them may be using X509 Certificates, so your web app (the client in this case) will have a client certificate and your service will have another "server" certificate. This model/pattern is what we call the Brokered Authentication: X.509 PKI. You may also explore other patterns and try using the inlcuded package whenever your services are implemented using WCF, otherwise you may follow the aforementioned Security Guidance and use WSE for this matter.

May 9, 2007 at 2:39 PM
Edited May 9, 2007 at 2:39 PM
Brokered Authentication using X.509 just confirms that there is a valid client that can use the service, correct? Is user authentication a part of it or does this just allow for user authentication to happen next?

P.S. I love the AJAX message when updating these discussions.
May 11, 2007 at 4:01 PM
You may use X.509 without any user credentials, just for authenticating both ends (web app and web service). On the other hand you have the user authenticating to the web app with its own crendetials. In case you want to flow the user identity to the service, then you may also use the "Direct Authentication" scenario where you only need a service certificate to authenticate the service and encrypt the user crendentials in transit.
May 11, 2007 at 10:26 PM
What I wanted to do was have record level security. Some items in the database can only be seen by those who own them or have read permissions on them. Many of the objects have one and sometimes more properties pointing to users as an example there is a contract with two parties listed. Each party should get to see the contract and all items joined to the contract. This requires me to pass user id's or names to methods and they are incorporated into the query. In the web client to database model I was going to try and create a custom principal that was attached to the currentuser thread after authentication. Then in each method I could pluck out the user id and pass it to the query without having it as a property of the object that gets set or as variable in the method signature (both could be compromised). What are my possible options for this given the nature of the wssf?
May 14, 2007 at 9:24 PM
For that scenario, you may use the DirectAuthentication with user name token auth where you use the user credentials along with the service X509.
You can find some examples in the Windows SDK here:
"\Microsoft SDKs\Windows\v6.0\Samples\WCFSamples\TechnologySamples\Basic\Binding\WS\MessageSecurity\Username"

Sep 17, 2007 at 4:20 PM
We created WCF services and are hosting them in IIS6. Our client is an ASP.NET webpage. In de ASP.NET page we use AspNetSqlMembershipProvider and AspNetSqlRoleProvider. The login we leave to the login control of VS2005. Now we want to validate that the user is in the Admin role to be able to execute an operation on the service. The problem is that we can't get the active login username from the ASP.NET webpage to the WCF service. Can someone point us into the right direction?