Any Service-Oriented Architecture (SOA) needs to support security features that provide auditing, authentication, authorization, confidentiality, and integrity for the messages exchanged between the client and the service. Windows Communication Foundation (WCF) provides these security features by default for any application that is built on top of the WCF framework.
Key security features include:
• Auditing - Effective auditing and logging is the key to non-repudiation. Non-repudiation guarantees that a user cannot deny performing an operation or initiating a transaction.
• Authentication - Authentication allows you to confidently identify the clients of your service. These might be end users, other services, processes, or computers. WCF supports mutual authentication, which identifies both the client and the service in tandem, to help in preventing man-in-the-middle attacks
• Authorization - Authorization determines what system resources and operations can be accessed by the authenticated user. This allows you to grant specific application and resource permissions for authenticated users.
• Confidentiality - Confidentiality, also referred to as privacy, is the process of making sure that data remains private and confidential, and that it cannot be viewed by unauthorized users. Encryption is frequently used to enforce confidentiality. Privacy is a key concern, particularly for data / messages passed across networks.
• Integrity - Integrity is the guarantee that data is protected from accidental or deliberate modification. Like privacy, integrity is a key concern, particularly for data / messages passed across networks. Integrity for data in transit is typically provided by using hashing techniques and message authentication codes.
Scope of WCF Security
The above fundamental security features are covered in the following WCF features:
• Transfer security. Responsible for providing message confidentiality, data integrity, and authentication of communicating parties.
• Authorization. Responsible for providing a framework for making authorization decisions.
• Auditing. Responsible for logging security-related events to the audit log.
No comments:
Post a Comment