I
have already posted on WCF behivior, Architecture, Design principle, ABC
concept, Proxy, Channel Communication, Hosting mechanism, Message exchange
patterns, Instance mode and Concurrency mode. Now it’s time to learn advance
concept on WCF like Transaction, Security Authentication, Authorization and
Access Control.
Transactions provide a way to group a set of actions or operations into a single indivisible unit of execution. A transaction is a collection of operations with the following properties:
1. Atomicity: This ensures that either all of the updates completed under a specific transaction are committed and made durable or they are all aborted and rolled back to their previous state.
2. Consistency: This guarantees that the changes made under a transaction represent a transformation from one consistent state to another. For example, a transaction that transfers money from a checking account to a savings account does not change the amount of money in the overall bank account.
3. Isolation: This prevents a transaction from observing uncommitted changes belonging to other concurrent transactions. Isolation provides an abstraction of concurrency while ensuring one transaction cannot have an unexpected impact on the execution of another transaction.
4. Durability: This means that once committed, updates to managed resources (such as a database record) will be persistent in the face of failures.
What is Transaction Flow/Phase, please explain in details
Transaction Flow/Phase: The transaction
coordinator coordinates the phases. The transaction coordinator is
generally located on the computer that initiates the transaction. After
performing all the updates, request is made to the transaction coordinator to
commit the transaction
WCF transactions
follow 2 phase commit
1. Prepare
phase 2. Commit phase
All co-ordination of transactions is done by the transaction manager who
resides at the client computer who initiates the transaction.
In prepare phase the transaction manager checks whether all entities are
prepared to commit and in commit phase the actual commit starts.
Note: You can think about prepare phase as a check saying that all entities
are ready to commit and in the commit phase
we do the actual work.
Transaction Flow Settings
Transaction flow settings are generated for a service endpoint as a
result of the intersection of the following three values:
1. The TransactionFlowAttribute
attribute specified for each method in the service contract.
2. The TransactionFlow binding property in the specific binding.
3. The TransactionFlowProtocol binding property in the specific
binding.
4. The TransactionFlowProtocol binding property enables you to choose
among two different transaction protocols that you can use to flow a
transaction. The following sections briefly describe each of them.
What are the different transaction flow option
available in WCF
1. TransactionFlowOption.NotAllowed: This is a default option. Using this option no transaction will be
propagated across the binding. If any client attempts to call the WCF service
in a transaction it will be ignored for this option. 2. TransactionFlowOption.Allowed: This option specifies that client can call this WCF service in a transaction. It’s not compulsory that the service needs to be called in a transaction. You can call without the transaction also.
3. TransactionFlowOption.Mandatory: This option specifies that client must call the WCF service in a transaction mode. If the WCF service is called without transaction, ‘FaultException’ will be raised.
What is transaction manager?
Transaction manager: Transaction manager is
responsible to rollback all the changes for data integrity purposes in case an
exception is thrown. It’s basically expose interface to satisfy this
requirement
1. Lightweight Transaction Manager
(LTM): This was introduced in the .NET Framework 2.0, and
uses the Lightweight Protocol. That is, it manages all transactions that are
using the Lightweight Protocol.
2. Distributed Transaction Manager
(DTC): Familiar to most developers and capable of managing
transactions across process and machine boundaries. As such, it is only logical
that it uses either the OleTx Protocol or the WSAT Protocol.
3. Kernel Resource Manager (KRM): This was introduced in Win Vista and Win Server 2008.
It also uses the Lightweight Protocol, but has also the ability to call on the
transactional file system (TXF) and transactional registry (TXR) on Vista and
Win 2008.
What are transaction protocols available in WCF?
LightWeight Transaction Protocol:
1.
Lightweight protocol is used
in a local context only, inside the same/within a single app domain to manage
transactions.
2.
There should not be any
cross calls for other AppDomains, so logically no client-service calls are
allowed.
3.
The lightweight protocol is
used only inside a service or outside services.
4.
The Lightweight protocol
yields the best performance compared with the other protocols
Ole Transaction Protocol:
1.
OleTx protocol is used to
propagate transactions across app domain, process, and machine boundaries, and
to manage the two-phase commit protocol but allowed through firewall only.
2.
The OLE Transaction (OleTx)
protocol is the standard for use with distributed transactions in a homogeneous
environment.
3.
The protocol uses RPC calls,
and the exact binary format of the calls is Windows-specific. As a result of
the use of both the RPC and the Windows-specific format, it cannot go across
firewalls or interoperate with non-Windows parties.
Note: The fact some clients are on the same machine
and others are on other Windows machines does not matter here because the OleTx
protocol covers both cases
WS Atomic Transaction Protocol:
1. WS-Atomic protocol is one of
the Web Service industry standards that can be used over HTTP including through
a firewall.
2. It’s having similar in
capabilities to the OleTx protocol with one major difference it can go across
firewalls and do interoperable.
3.
It can propagate the
transaction across app domain, process, and machine boundaries, and manage the
two-phase commit protocol.
4.
It is a two-phase protocol
that can propagate transactions across process, App-Domain, and computer
boundaries.
5. The WSAT protocol is based
on an industry standard and, when used over HTTP with text encoding, can go
across firewalls.
What is WCF transfer security, explain difference between message
security and transport security?
Transfer security: WCF secures messages over the network.
WCF gives you two options to implement
transfer security: Transport security and Message security.
Transport security secures
the entire communication channel (e.g., by using SSL), while message security
secures each message individually.
Important Points
1. WCF supports a variety of
authentication options including username, Windows, and certificate
authentication. Depending on your authentication method, you can choose to
authorize your users by using role-based security or resource-based security.
2. Use WCF impersonation and
delegation to flow the identity and security context of your client-side
original caller to the back end in order to support a granular authorization
approach.
Explain the security features?
Key Security Features: Any Service-Oriented Architecture (SOA) needs
to support security features that provide auditing, authentication,
authorization, confidentiality, and integrity for the messages exchanged
between the client and the service. Microsoft Windows Communication Foundation
(WCF) provides these security features by default for any application that is
built on top of the WCF framework.
Key security features include:
1. Auditing:: Effective auditing and logging is the key to
non-repudiation. Non-repudiation guarantees that a user cannot deny performing
an operation or initiating a transaction.
2. Authentication: Authentication allows you to confidently
identify the clients of your service. These might be end users, other services,
processes, or computers. WCF supports mutual authentication, which identifies
both the client and the service in tandem, to help in preventing
man-in-the-middle attacks.
3. Authorization: Authorization determines what system
resources and operations can be accessed by the authenticated user. This allows
you to grant specific application and resource permissions for authenticated
users.
4. Confidentiality: Confidentiality, also referred to as privacy,
is the process of making sure that data remains private and confidential, and
that it cannot be viewed by unauthorized users. Encryption is frequently used
to enforce confidentiality. Privacy is a key concern, particularly for
data/messages passed across networks.
5. Integrity: Integrity is the guarantee that data is
protected from accidental or deliberate modification. Like privacy, integrity
is a key concern, particularly for data/messages passed across networks.
Integrity for data in transit is typically provided by using hashing techniques
and message authentication codes.
Scope of WCF Security
The above fundamental security features are
covered in the following WCF features:
1.Transfer security Responsible for providing message
confidentiality, data integrity, and authentication of communicating parties.
2. Authorization Responsible for providing a framework for
making authorization decisions.
3. Auditing Responsible for logging security-related
events to the audit log.
WCF provides access to these
features through bindings and behavior configuration.
Bindings and Behaviors: When you create an overall security policy–for
example, transfer security with authentication and authorization for your
services–you can use bindings and behaviors to configure the required settings.
Bindings and behaviors are described as follows:
1. Bindings. Bindings control the
security mode, client credential type, and other security settings.
2. Behaviors. Service behaviors control
impersonation levels, how client credentials are authenticated and authorized,
and service credentials.
What is Authentication, explain difference between Direct and Broker authentication
types in WCF
Authentication: Authentication allows you to confidently
identify the clients of your service. These might be end users, other services,
processes, or computers. WCF supports mutual authentication, which identifies
both the client and the service in tandem, to help in preventing
man-in-the-middle attacks.
1. Direct
Authentication:
Direct Authentication is a pattern based
upon a trust relationship that exists between the service and service consumer.
This trust relationship allows the service to accept a claim of identity
directly from the service consumer and validate this claim based on information
already owned by the service.
Example: The human end-user, in this
case, supplies the credentials to the desktop application acting as the service
consumer. These credentials are validated against a data store under the
control of the service.
This approach is reminiscent of traditional authentication mechanisms used in point-to-point data exchange, and is therefore common with single service-consumer message exchanges.
2. Broker
Authentication:
The service consumer is responsible for
establishing an identity with the authentication broker and this same
authentication broker forms a trust relationship with the service
Example: When the service consumer
is ready to access the service, it presents its credentials to the
authentication broker. The authentication broker returns to the consumer a
security token that represents a claim of identity. This security token most
likely contains some proof of a relationship between the broker and the
consumer that the service uses to validate the trust relationship (between the
broker and consumer)
What are the Authentication Patterns in WCF?
1.
The type and location of the
existing credential store used within the service inventory
2.
The trust boundaries
associated with the service
3.
The constraints applied to
authorization
What are authentication, Authorization and access control?
1. Authentication: Process by which
you verify that someone is who they claim they are.
2. Authorization:
1.
Process
of establishing if the user (who is already authenticated), is permitted to
have access to a resource.
2.
Authorization
determines what a user is and is not allowed to do.
3. Access Control: It is
the process of enforcing the required
security for a particular resource.
What is Basic, Direct and Windows Authentication?
Basic Authentication
1.
Basic authentication is part
of the HTTP 1.0 protocol specification, which means it works with any browser
type.
2.
Basic authentication
provides a simple mechanism for transmitting user credentials (i.e., a user ID
and password) from a browser to a Web server.
3.
Credential information that
you transfer using Basic authentication isn't
secure—it's just base64 encoded.
Therefore, recommended to use the Secure Sockets Layer (SSL) and Transport
Layer Security (TLS) protocols to secure Basic authentication HTTP traffic.
Uses of Basic Authentication
1.
When you use basic
authentication to access a Web resource, you can configure the default domain
and realm at the bottom of the Internet Services Manager (ISM) Authentication
Methods dialog box.
2.
In Basic authentication, User
should provid a domain called “dc” (the domain name precedes the username). The
realm is the level within the IIS metabase hierarchy that a user can access
when using Basic authentication.
3.
By default, this realm is
the IIS computer name, which provides access to all levels in the IIS metabase
hierarchy.
4.
When you specify a custom
realm for a Web resource, it automatically appears in the Basic authentication
dialog box for that resource.
Digest Authentication
1.
Digest authentication was
originally part of the HTTP 1.0 protocol specification and later enhanced in
the HTTP 1.1 protocol specification. Internet Engineering Task Force (IETF)
Request for Comments (RFC) 2617 defines both versions.
2.
Similar to NT LAN Manager
(NTLM) authentication, Digest authentication uses a challenge/response-based
authentication method. One of the key advantages of Digest authentication is
that even it transmits the user's credentials in the clear over the network as
a similar way of basic authentication but it has used SHA-1 or MD5 which
provide 128-bit encryption so, this authentication will provide better security
than basic authentication.
3.
Not all browser and Web
server types and versions currently support HTTP 1.1 and Digest
authentication—on the Microsoft side, only IE 5.0 and later and Internet
Information Services (IIS) 5.0 and later provide support.
Windows Authentication
1.
Windows used by default NTLM
authentication (can have https but not http).
2.
As with Digest
authentication, Integrated Windows authentication never transmits the password
in the clear and, therefore, doesn't require the use of SSL or TLS.
3.
IIS uses HTTP to transport
Integrated Windows authentication messages in a Web environment instead of
using the remote procedure call (RPC) protocol.
4.
SSP and the NTLM
authentication protocol both require a point-to-point connection between the
browser and the Web server, neither one will work across HTTP proxies.
5.
Unless the user can use his
or her current logon credentials to authenticate to the Web server, using
Integrated Windows authentication will generate a typical authentication dialog
box on the browser side.
6.
Windows
authentication types are
1. NTLM(By Default) 2. Kerberos
and 3. SSP's
What is key difference between NTLM and Kerberos
1.
NTLM uses a
challenge/response mechanism requiring authentication and authorization for
accessing each network resource while Kerberos uses a ticket system that
authenticates once and then authorizes through delegation.
2.
NTLM require domain
controller While Kerberos not.
3.
In Kerberos, set
the unique SPN against the each application pool account while NTLM not.
References
No comments:
Post a Comment