y - Net Developer

CHAPTER 7 ■ IMPLEMENTING WCF SECURITY 217ramrameshreddy.blog.comsupport for both the MEPs. However, duplex MEP is available only in WsDuaHttpBinding,NetTcpBinding, and NetNamedPipeBinding.How do you present your rights to WCF runtime via bindings? What are the mechanismsavailable in WCF to pass on your requests to access resources? These questions are answeredby implementing credentials and claims in WCF. The following section will discuss what theseare.Credentials and ClaimsWCF security is based on credentials. What are these credentials? A credential is an XMLcompatibleentity that assists the Windows runtime in identifying a user. Credentials consistof one or more claims. A claim can be a username, a digital certificate, or a custom token thatspecifies the holder’s right to access the application. This information will assist the Windowsruntime in granting or denying access to the WCF application. The Windows runtime will verifythe claims by the user. Therefore, if the user is using a certificate, the runtime will inspectthe certificate information and verify whether the user is who they say they are. This is theauthentication concept discussed earlier. When the user is authenticated, the certificate keycould be used to decrypt the data. This will fulfill the integrity feature discussed earlier. Thiscould be followed by an authorization check that will verify whether the user has access to thedata and functions of the application. Therefore, we can summarize a set of claims into theuser’s complete access privileges in WCF.There are several setup claim sets in WCF (that is, certificates, usernames, Kerberos tickets,and custom tokens). They are mapped to a standard internal claim set in WCF runtime.Therefore, the user can alternate between one claim and another (that is, between the usernameand the custom token pair) without any issues with the Windows runtime. After the firstcommunication with the server, the user session will commonly use a token to present theclaim set information without checking for authentication, authorization, and integrity forsubsequent requests. This is designed to improve response times.■Note In WCF, the highest security level is activated by default. Therefore, the user needs to decrease thesecurity levels if they want to accommodate security requirements. Also, the security model facilitatesconfiguration-level changes without any code or runtime modifications (which is the same as reliable messaging,transaction support in WCF, and so on). Therefore, if you alter your MSMQ binding to replace with theWSHttpBinding binding, the application will seamlessly integrate with the same security context.How do you extract claim information in WCF? How can you investigate the claim informationusing code? Let’s examine this with the assistance of the QuickReturns Ltd. sampleapplication.ramrameshreddyramrameshreddy■Note You will reuse the Chapter 6 code in this example. The service and client functionality will be thesame. Specifically, the server will expose a security trading service, and the client will make requests to tradesecurities. Please consult the code that accompanies this chapter to maximize your learning experience.