Browse by Tags

• Bindings
• Indigo
• Message Security
• Standard Bindings

• Messaging Additions in Orcas, Part 2

  Continuing on with the theme of messaging additions in Orcas, today I'll look at some more of the protocols and community-driven features that were added. WS Atomic Transaction 1.1 . Transactions tie together multiple participants in a distributed application. The framework of transactions is built on various coordination protocols between parties. Transactions are a kind of coordination in which either all or none of the parties agree to perform an action. Validation for issued token certificates . We've added support for configuring the certificate validation policy for issued token authentication, similar to the configuration for other certificates that are used for service credentials. Flowing SAML tokens. We've added support to flow a SAML assertion without having to re-sign the token. This allows these assertions to be handled by proxies without special configuration. Using message contents for authorization . We've added support to ServiceAuthorizationManager for performing access checks that make use of the body of the message. WS Secure Conversation 1.3 . A secure conversation is an exchange of multiple, protected messages. Using a conversation mechanism allows a security context to be established across several messages, which performs better than having to exchange security keys with every message. WS Trust 1.3 . Building a secure conversation requires that the two parties exchange security credentials. In order to perform this exchange, the two parties need to establish a trust relationship where they can evaluate the assertions made by the other side. The protocols that I've talked about today and last time are available through the new WS2007HttpBinding and WS2007FederationHttpBinding as updates to the previous web service standard bindings. Next time: Messaging Additions in Orcas, Part 3 Read More... Posted Tuesday, April 29, 2008 8:00 AM from Nicholas Allen's Indigo Blog | 0 Comments Filed under: Indigo, Security, Message Security, Orcas

• Partial Trust Binding Black List

  Partial trust support in WCF is an Orcas feature that allows clients and services to be run in an environment with restricted permissions. WCF is part of a fully trusted installation, so by default partially trusted callers are not allowed to call into the assembly. However, there is a standard mechanism to change that, which is to mark the assembly with the AllowPartiallyTrustedCallers attribute. Once an assembly is marked, it is then the responsibility of that code to make sure that partially trusted callers can't do bad things through the exposed API of the fully-trusted assembly. To implement this restriction, one of the things that WCF does is limit the bindings that you can build using the out-of-the-box components (custom components would have to join into this same security model and do their own validation before they could be used). There are two rounds of checks, first to knock out the bindings that are not safe for partially trusted callers and then to knock out the binding elements. WCF ships with 15 bindings (plus custom binding) in the box for Orcas. Of these, eight immediately get knocked out: MsmqIntegrationBinding NetMsmqBinding NetNamedPipeBinding NetPeerTcpBinding NetTcpBinding WSDualHttpBinding WS2007FederationHttpBinding WSFederationHttpBinding Then, any binding that contains one of these binding elements gets knocked out: AsymmetricSecurityBindingElement CompositeDuplexBindingElement MsmqTransportBindingElement MtomMessageEncodingBindingElement NamedPipeTransportBindingElement OneWayBindingElement PeerCustomResolverBindingElement PeerTransportBindingElement PnrpPeerResolverBindingElement ReliableSessionBindingElement SymmetricSecurityBindingElement TcpTransportBindingElement TransportSecurityBindingElement That basically allows for the following standard bindings to operate: BasicHttpBinding, BasicHttpContextBinding, WebHttpBinding, WSHttpBinding, WSHttpContextBinding, and WS2007HttpBinding. The WSHttp bindings will be quite limited because many of their features are blocked by the binding element checks. Now you can figure out all of the supported binding configurations if you still haven't read the partial trust feature compatibility guide . Next time: Built In ServiceHost Validation Behaviors Read More... Posted Thursday, March 13, 2008 8:00 AM from Nicholas Allen's Indigo Blog | 0 Comments Filed under: Indigo, Bindings, Security, Standard Bindings, Orcas