Introduction to WCF Security

How to Configure Message-Based Security

In this demo, we will see how to secure a Windows Communication Foundation Service.

We will also see how to use the service trace utility provided by the Windows SDK to inspect service messages.

Now, what we have here is a very simple application for applying customer credits. This application makes a call to a WCF service for performing the transaction.

And if we look at the application, we can see in the btnApplyCredit_Click event handler, that we are creating a request object which contains account, amount, and transaction ID information.

We then invoke the service and receive a response as to whether or not the transaction was approved.

Let’s run the application. Now we will enter an account number, an amount to be credited, hit apply, and we see that the transaction was successful.

Now let’s take a quick look at the service.

Our service utilizes data contracts for the request and response objects.

As to the service itself, we see that we have an ICredit that defines a credit account method.

Now, our credit service implements the ICredit interface, credit account simply takes the request passed in and creates a response that approves the transaction.

Let’s go enable encryption for our service and also view our service messages in the service trace viewer.

We will go to the binding, we will go to the security tab, and we will specify message level security.

Now, because we are working within a windows domain, we can leave the MessageClientCredentialType set to Windows, and allow Windows to handle the encryption scheme for us.

We will save the config, and now we will go set the security on our client.

We will go to the security tab, we will set the mode to message, just as we did for the service, and now we will enable MessageLogging under Diagnostics.

Once we have enabled message logging it will automatically create a diagnostic source and listener.

If we want to change the location of the output files, we can click on the listener link and change the name.

In this case, we will change it now to c:\wcf logs\credit_service.svclog.

Also, we are going to set message logging to log the entire message so that we can see both the header and the message content.

Now we can save our configuration changes, compile, and run the application.

Now we can see that the application runs successfully without throwing an exception and that our transaction was approved.

Now let’s take a look at our log file in the service trace utility.

When we look at the messages now, we can see that the data for our request and our response is no longer being passed in clear text, but is now encrypted.

So now we have taken care of encrypting our message. However, anyone can access our service, so let’s use WCF to secure the service so only authorised users can invoke it.

So what I am going to do now is add a using statement, for System.Security.Permissions, and now what I am going to do is set permissions on my credit account method, so that only those who are members of the service users group can access it.

And I will do this by using a principal permission attribute setting the security action to demand, and the role equal to service users.

Now because we are not a member of the service users group, the call to this method should fail at runtime.

I will save my application, recompile, then I will run my application; perform my transaction for one final time.

So now you see we have received a security exception because we did not have the proper permissions to invoke this method on the service.