S
sonicm
Hi,
I've been working on WCF now for the past few weeks and am wondering how
much security is enough (I know that's a loaded question in itself!)?
So far I can,
* detect the IP address calling me and look that up in a DB to make sure
it's registered.
* Run against SSL for security transport
* Have a client certificate to proect at message level
I know there is a certificate for transport level as well but I have just
been unable to get that to work, I don't know if it conflicts with the
certificate on the server or something but I just get loads of "The SSL
settings for the service 'SslRequireCert' does not match those of the IIS
'Ssl, Ssl128'." type errors that no one seems to be able to answer for me:
http://forums.microsoft.com/MSDN/ShowPost.aspx?PostID=3242568&SiteID=1.
Today I've been looking at adding username/password to the message but it
seems that I would have to disable the certificate for message level binding
if I wanted to do that, is there anyway to have ASP.NET type security using
the PrincipalPermission setting in my class to check for roles. I am using a
book called "Essential Windows Communication Foundation for .NET Framework
3.5" which is very good but I just can't get the examples to work and can't
find where to download the code from to show me working versions? Also, in
their example they seem to change the bindings from Transport to Message.
Sorry I know this question has been a bit wooly but mainly I would like to
know how to use Certificates for message level (that I already have working)
along with the ASP.NET SQL username/password role validation?
Thanks in advance.
Mike.
I've been working on WCF now for the past few weeks and am wondering how
much security is enough (I know that's a loaded question in itself!)?
So far I can,
* detect the IP address calling me and look that up in a DB to make sure
it's registered.
* Run against SSL for security transport
* Have a client certificate to proect at message level
I know there is a certificate for transport level as well but I have just
been unable to get that to work, I don't know if it conflicts with the
certificate on the server or something but I just get loads of "The SSL
settings for the service 'SslRequireCert' does not match those of the IIS
'Ssl, Ssl128'." type errors that no one seems to be able to answer for me:
http://forums.microsoft.com/MSDN/ShowPost.aspx?PostID=3242568&SiteID=1.
Today I've been looking at adding username/password to the message but it
seems that I would have to disable the certificate for message level binding
if I wanted to do that, is there anyway to have ASP.NET type security using
the PrincipalPermission setting in my class to check for roles. I am using a
book called "Essential Windows Communication Foundation for .NET Framework
3.5" which is very good but I just can't get the examples to work and can't
find where to download the code from to show me working versions? Also, in
their example they seem to change the bindings from Transport to Message.
Sorry I know this question has been a bit wooly but mainly I would like to
know how to use Certificates for message level (that I already have working)
along with the ASP.NET SQL username/password role validation?
Thanks in advance.
Mike.