Wcf security session 1
-
Upload
anil-kumar-m -
Category
Technology
-
view
449 -
download
0
Transcript of Wcf security session 1
WCF SECURITYANIL KUMAR M
04/12/20232
Obje
ctiv
es
Golden History Guess where is the path Define a Policy Who are you? WCF ways to identify
Are you allowed to do!
A big Prediction
04/12/20233
Gold
en H
isto
ry
General Scenarios of
Security in a normal Client
and Service Application A Client calls a Service, i.e
A Client calls a Method in
Service
Considering Our focused
topic of the day Security in
terms of Service
04/12/2023
4
Guess where can we Improve Security?
04/12/2023
5
Just think not RequiredA scenario
Now an authenticated and authorized Client
calling the service don’t you think the message that
transferred from Client to Service should be secured means the
membrane that transfers message from client to service should
be secured
This defines the term Transfer Security
04/12/2023
6
If we recapSecurity Policy is AuthenticationAuthorizationTransfer Security
04/12/20237
Who a
re y
ou?
Auth
enti
cati
on
Two Contexts In Service view point
In Client prospectiveHijack Client Calls
04/12/2023
8
6 ways of
Authentication
Mechanisms
offered by WCF
04/12/20239
1.N
o A
uth
entica
tion
Service allows
everyone to access its
methods
04/12/202310
2.W
indow
s
Auth
entica
tion
Kerberos when
domain server
NTLM in workgroup
Service allows who provide
their windows credentials
and authenticate against
Windows
04/12/2023
113.U
serN
am
e a
nd
Pass
word
Service allows
who provide username
and password and authenticate against its
user store
04/12/2023
12
4.X
509
Cert
ifica
te
The Service
allows who in advance
known to service i.e.
Client is a certificate
already registered with
service host, so if a request comes from that
certificate they are valid
users
04/12/2023
13
5.C
ust
om
M
ech
anis
m
Bio Metrics
04/12/2023
14
6.Iss
ued T
oke
n
Security Token ServiceRelated to Federated
SecurityLike Authentication with
GOOGLE, HOTMAIL,YAHOO using
in any Application CARD SPACE
04/12/2023
15
Auth
ori
zati
on
After authentication,
service relies on some
user store where users
are mapped to some
logical roles When accessing
a method it demands
only certain roles can
access
04/12/2023
16
Auth
ori
zati
on
Off
ere
d b
y W
CF
Windows AccountsASP.NET Provider
Custom role Repositories
04/12/202317
Transfe
r Secu
rity
Challe
nges
Read or Write
Message integrity
Message Privacy
Mutual Authentication
04/12/202318
Message integrity
Altering account
number in case of
amount transfer
04/12/202319
Message Privacy
No altering only reading
the info and using it
whenever needed
04/12/202320
Mutu
al A
uth
entica
tion
Two Challenges Polite way and cruel
way
Eliminate Replay attacks
Read secure info from the wire and
send that info to Service
Denial of service attacks
Flood the service with correct and
bogus at such a frequency so that it
will become unavailable