A few months ago I was given the task of setting up security for some WCF services we had created. After a couple days of scouring the internet for ideas and solutions, I ended up purchasing a book on WCF. Although there is a lot of information on the web about WCF and what security methods are available to us as developers, the information was always incomplete, and connecting the dots wasn’t the easiest. The example below shows how we can setup message based WCF security for a service which will be accessed over the internet, although the same code could be used for an intranet application as well. The example will require both user authentication and an x509 certificate.
For our WCF service, we’re using the wsHttpBinding. This binding provides much of the same functionality as a basic web service, with added service features such as reliable messaging, WS-Addressing, and WS-Security. Since this post is mainly on setting up security for a WCF service, I won’t go into too many details of the other features of wsHttpBinding.
After creating the WCF service, open up the web.config file for the WCF Service Application project. After scrolling down for a long time, you should come across a System.serviceModel tag. This tag contains all of the configuration settings for the WCF services contained in this project. Here’s what you should be looking at now:
<system.serviceModel>
<services>
<service name=“WcfService1.Service1“ behaviorConfiguration=“WcfService1.Service1Behavior“>
<!– Service Endpoints –>
<endpoint address=“” binding=“wsHttpBinding“ contract=“WcfService1.IService1“>
<!–
Upon deployment, the following identity element should be removed or replaced to reflect the
identity under which the deployed service runs. If removed, WCF will infer an appropriate identity
automatically.
–>
<identity>
<dns value=“localhost“/>
</identity>
</endpoint>
<endpoint address=“mex“ binding=“mexHttpBinding“ contract=“IMetadataExchange“/>
</service>
</services>
<behaviors>
<serviceBehaviors>
<behavior name=“WcfService1.Service1Behavior“>
<!– To avoid disclosing metadata information, set the value below to false and remove the metadata endpoint above before deployment –>
<serviceMetadata httpGetEnabled=“true“/>
<!– To receive exception details in faults for debugging purposes, set the value below to true. Set to false before deployment to avoid disclosing exception information –>
<serviceDebug includeExceptionDetailInFaults=“false“/>
</behavior>
</serviceBehaviors>
</behaviors>
</system.serviceModel>
By default, a WCF service will use the wsHttpBinding, this is what we want to continue using. We need to make a few modifications to this web.config in order to provide the additional functionality we want. First take a look at the serviceBehaviors section. By default we already have a behavior for our Service1. Here is an example of a modified behavior:
<behavior name=“WcfService1.Service1Behavior“>
<serviceCredentials>
<serviceCertificate findValue=“CN=ServiceCertificate“ storeLocation=“LocalMachine“
storeName=“My“ x509FindType=“FindBySubjectDistinguishedName“ />
<userNameAuthentication userNamePasswordValidationMode=“Windows“/>
</serviceCredentials>
</behavior>
There is a lot of info in this behavior pertaining to security. The first bit describes the x509 certificate we would like to use that is already installed on our machine. We can create our own test x509 certificate for development purposes if need be. We can also describe the user authentication mode, in this case we are just using Windows authentication.
The next section extends the wsHttpBinding to provide some additional features not turned on be default:
<bindings>
<wsHttpBinding>
<binding name=“wsHttpBindingSettings“ messageEncoding=“Text“>
<security mode=“Message“>
<message clientCredentialType=“UserName“ />
</security>
</binding>
</wsHttpBinding>
</bindings>
Here we can describe the transport type, as well as the client credential type. This is fairly simple, we are using Message based transport with UserName security.
Finally we need to tie these sections together with Service1:
<service behaviorConfiguration=“WcfService1.Service1Behavior“ name=“WcfService1.Service1Behavior“>
<endpoint address=“” binding=“wsHttpBinding“ bindingConfiguration=“wsHttpBindingSettings“
contract=“WcfService1.IService1“ listenUriMode=“Explicit“>
<identity>
<dns value=“ServiceCertficate“ />
</identity>
</endpoint>
<endpoint address=“mex“ binding=“mexHttpBinding“ contract=“IMetadataExchange“ />
</service>
The only changes we made here are in the bindingConfiguration property and the dns value. The bindingConfiguration allows you to bind our binding configuration to this service, and the dns value should match the x509 certificate name.
I’ll be posting some more on this topic, including writing your own custom username validation code for WCF, and creating your own test x509 certificate. Hope this helps!
-Jon