wcf:將用戶名添加到消息頭是否安全? (wcf: adding username to the message header is this secure?)

問題描述

wcf:將用戶名添加到消息頭是否安全? (wcf: adding username to the message header is this secure?)

I'm connecting to a WCF service in an ASP.NET app. I'm logging in using one username and password and passing the actual username of whoevever is logged into the ASP.NET web app in a message header as below.

  using (OperationContextScope scope = new OperationContextScope(myService2.InnerChannel))
  {
    Guid myToken = Guid.NewGuid();

    MessageHeader<string> messageHeader = new MessageHeader<string>(HttpContext.Current.User.Identity.Name);
    MessageHeader untyped = messageHeader.GetUntypedHeader("token", "ns");

    OperationContext.Current.OutgoingMessageHeaders.Add(untyped);

    lblResult.Text = myService2.GetData(1231);
  }

I'm also using a service certificate as below

      <serviceCredentials>
        <serviceCertificate findValue="CN=tempCert" />
        <userNameAuthentication userNamePasswordValidationMode="MembershipProvider"
          membershipProviderName="MySqlMembershipProvider" />
      </serviceCredentials>

What I'm worried about is whether this sufficient protection to stop people getting at the username stored in the message header?

ASP.NET config is

    <system.serviceModel>
    <behaviors>
        <endpointBehaviors>
            <behavior name="NewBehavior">
                <clientCredentials>
                    <serviceCertificate>
                        <authentication revocationMode="NoCheck"/>
                    </serviceCertificate>
                </clientCredentials>
            </behavior>
        </endpointBehaviors>
    </behaviors>
    <bindings>
        <wsHttpBinding>
            <binding name="wsHttpEndpoint" closeTimeout="00:01:00" openTimeout="00:01:00" receiveTimeout="00:10:00" sendTimeout="00:01:00" bypassProxyOnLocal="false" transactionFlow="false" hostNameComparisonMode="StrongWildcard" maxBufferPoolSize="524288" maxReceivedMessageSize="65536" messageEncoding="Text" textEncoding="utf‑8" useDefaultWebProxy="true" allowCookies="false">
                <readerQuotas maxDepth="32" maxStringContentLength="8192" maxArrayLength="16384" maxBytesPerRead="4096" maxNameTableCharCount="16384"/>
                <reliableSession ordered="true" inactivityTimeout="00:10:00" enabled="false"/>
                <security mode="Message">
                    <transport clientCredentialType="Windows" proxyCredentialType="None" realm=""/>
                    <message clientCredentialType="UserName" negotiateServiceCredential="true" algorithmSuite="Default" establishSecurityContext="true"/>
                </security>
            </binding>
        </wsHttpBinding>
    </bindings>
    <client>
        <endpoint address="http://localhost/WCFTestService/Service.svc" behaviorConfiguration="NewBehavior" binding="wsHttpBinding" bindingConfiguration="wsHttpEndpoint" contract="WCFTestService.IService" name="wsHttpEndpoint">
            <identity>
                <certificate encodedValue=""/>
            </identity>
        </endpoint>
    </client>
</system.serviceModel>

and at the service side its

  <system.serviceModel>
<bindings>
  <wsHttpBinding>
    <binding name="wsHttpEndpointBinding">
      <security>
        <message clientCredentialType="UserName" />
      </security>
    </binding>
  </wsHttpBinding>
</bindings>
<services>
  <service behaviorConfiguration="ServiceBehavior" name="Service">
    <endpoint address="" binding="wsHttpBinding" bindingConfiguration="wsHttpEndpointBinding"
      name="wsHttpEndpoint" contract="IService">
      <!‑‑<identity>
        <dns value="" />
      </identity>‑‑>
    </endpoint>
    <endpoint address="mex" binding="mexHttpBinding" contract="IMetadataExchange" />
  </service>
</services>
<behaviors>
  <serviceBehaviors>
    <behavior name="ServiceBehavior">
      <serviceMetadata httpGetEnabled="true" />
      <serviceDebug includeExceptionDetailInFaults="false" />
      <serviceCredentials>
        <serviceCertificate findValue="CN=tempCert" />
        <userNameAuthentication userNamePasswordValidationMode="MembershipProvider"
          membershipProviderName="MySqlMembershipProvider" />
      </serviceCredentials>
    </behavior>
  </serviceBehaviors>
</behaviors>

‑‑‑‑‑

參考解法

方法 1:

The big question is: do you have any kind of transport‑level or message‑level security enabled on your binding? What binding are you using?

If you have transport‑level security (typically through using HTTPS over SSL), then you have a point‑to‑point encrypted transport channel which I would deem very safe.

If you have message‑level security using a certificate on the client, too, and you do encrypt the whole message, then you should be safe, too.

It really boils down to what binding you're using and what security settings you're using on that binding. Show us the server's config !

Marc

(by AJMmarc_s)

參考文件

  1. wcf: adding username to the message header is this secure? (CC BY‑SA 3.0/4.0)

#Security #ASP.NET #web-services #wcf




相關問題

只允許 oracle db 登錄到特定的應用程序? (Allowing oracle db login only to specific application?)

在桌面應用程序中保存用戶名和密碼 (Saving username & password in desktop app)

如何使用算法 RSA/ECB/PKCS1Padding 通過 JavaScript 解密加密字符串 (How to decrypt through JavaScript of encrypted string using algorithm RSA/ECB/PKCS1Padding)

wcf:將用戶名添加到消息頭是否安全? (wcf: adding username to the message header is this secure?)

沒有 .htaccess 的安全目錄密碼保護 (Secure directory password protection without .htaccess)

無法在 Oracle 表上創建簡單視圖 (Unable to create a simple view on Oracle table)

當請求來自調度程序時,無法寫入 App_Data (Cannot write in App_Data when request is from scheduler)

安全的 PHP 文件上傳 (Secure PHP file uploading)

Grails Spring 安全配置通過 xml (Grails Spring Security Configuration thru xml)

醫療應用的安全要求 (Security Requirements for Medical Applications)

如何保護 Silverlight 應用程序 (How to Secure Silverlight Application)

在使用 azure 流量管理器和 azure 應用程序網關與 WAF 時實現國家級阻止 (Achieve country level blocking while using azure traffic manager and azure application gateway with WAF)





留言討論