|
 |  |  |  |  |  |  |
Welcome to Vista Forums we are your forum to discuss Windows Vista x64 and x86 systems. Whether you need help or just want to post an idea you have on Vista, this is the forum for you.
 |
| |||||||
| | Thread Tools | Display Modes |
11-26-2007
| #1 (permalink) |
| Guest | Using WCF Sessions for Security State in a Smart Client app Hi I would value your advice whether it is advisible to 'man handle' the WCF Session {ServiceContract (Session=true)} for the purpose of a custom security session. We are using WCF for a Smart Client development (WCF splits the SC presentation from the Back end SOA style Service Layer) Despite the Smart Client, we will likely use a connectionless binding (e.g. Web Service), which will allow for easy reuse of the Services by Other clients (e.g. for EAI or Portal expansion later on), scalability etc. It seems that WCF session isn't quite an ASP.NET Session http://msdn2.microsoft.com/en-us/library/ms731193.aspx Would it be advisable to try and re-use the WCF session for this purpose, given that: => We would still want to retain a logical Security "Session" on the Server for each Client connection, primarily for low level security 'state' such as caching of Security / Authentication info, inactivity expiry, tying the Client's session endpoint to a single IP etc. => We do not want to be reliant on the IIS / ASP Session State for this (i.e. must be available on e.g. Windows Service hosted Services) => We can probably live with only "Synchronous" / blocking communication from each client (although multiple clients will connect simultaneously) => We need to reuse the same session across multiple Service Contracts - from the sounds of it, every time the Client's Service Proxy is closed, the session ends (can we e.g. take the Session obtained e.g. from an "Login" Service on an IAuthentication contract and then 'inject it' into subsequent calls into other, different, contracts ?) ? Ideally we would like: Client -> Server : Authenticate Server -> Client : Authenticated OK, here's a Session Client -> Server : (on all subsequent WCF service calls, on different Services / Contracts) DoSomething1(), DoSomething2() -Each time, adding in the session obtained Client -> Server : Logout Thanks in advance Stuart |
|
12-01-2007
| #2 (permalink) | ||||||||||||
| Guest | Re: Using WCF Sessions for Security State in a Smart Client app For your scenario, and if you need the client to contact any contracts or services within the same "logon" session, I would advise the use of SAML. Think of SAML as Kerberos, where the client contacts an issuer (KDC) which in itself is a WebService operation with the only purpose of gathering your credentials and providing you with a Security Token (SAML in this case) with a certain lifetime and an authenticator only descryptable by the destination webservice(s) which your client will contact further on. client => Issuer (sends credentials) client <= Issuer (gets SAML) client => svc1 (sends SAML + operation call) client <= svc1 (gets result) client => svc2 (sends SAML + operation call) client <= svc2 (gets result) .... [the SAML will expire based on its lifetime] Basically, an ASP session is associated a VDir (always checked InProc), as ASPX session can be associated with a VDir (when InProc) or with a SQLServer (SQLCluster mode). Its the backends that trully hold all the informaiton to the session and the storage for that session is either in memory or in SQL Server. A SAML token is a ticket a client asks an Issuer for and the SAML holds all the needed information required to be validated ... there is no external storage associated. Afterwards the client is free to call any WebService that can validate that SAML token, where the SAML token will represent the credentials the client is sending. Of course, the Issuer and WebServices contacted afterwards have a sort of agreement, where the Issuer not only validates the client credentials but also knows how to insert data only viewable and verifyable by the WebServices contacted afterwads. While trying to provide you with informaiton I may have created more confusion, but the focus is on understanding the "session" concept you need here. WCF gives you a lot of funcionality, but its essence is based in the WS-* standards which in itself present a multitude of options for the majority of business scenario already out there. Hope it helps Tiago Halm "NonNB" <nonamebrande@xxxxxx> wrote in message news:27b73bd3-bd7f-49c4-8ca8-79d8cbbba236@xxxxxx
| ||||||||||||
|
12-04-2007
| #3 (permalink) |
| Guest | Re: Using WCF Sessions for Security State in a Smart Client app Thanks for pointing me in this direction Tiago You are 100% right, security is an enterprise consideration, not a "per system" one and the session is not necessarily restricted to just the one server. http://weblogs.asp.net/cibrax/archiv...27/441227.aspx http://msdn.microsoft.com/msdnmag/is...s/default.aspx Regards Stuart |
| |
| |
| Thread Tools | |
| Display Modes | |
| |
Similar Threads | ||||
| Thread | Thread Starter | Forum | Replies | Last Post |
| Need help in deployment of ForeFront Client Security | Kamran Khan | Vista security | 1 | 07-23-2008 07:15 AM |
| ESET Smart Security (aka Nod32) | krystall | Vista security | 3 | 01-23-2008 05:42 PM |
| ESET Smart Security | Doug | Vista security | 7 | 11-09-2007 08:59 AM |
| Client Security Solution, Lenovo ThinkVantage | Olav Aleksander | Vista account administration | 3 | 03-28-2007 07:30 PM |
| MSFT Security and UAC: Huge Client US State Dept Hacked | Chad Harris | Vista General | 27 | 08-02-2006 02:30 PM |
Linear Mode
