I have read in Training Kit of MS -WCF that all the bindings by default provide network security that is developer has to do nothing for implementing security.
I have one query over this :- I have used netTcpBinding and i sen开发者_C百科d various objects from client to server. When sending objects we send a special guid in one of the properties of object which we again verify at Server before processing the request.
I will like to know what all vulnerabilities are involved, if do not do anything explicitly for Security, that is no transport level security is applied.
One more point we are using NetTcpBinding at Internet.
netTcpBinding is normally used for Intranet where you are likely to have point to point comms so transport security is probably adequate. If you are operating over the web then you will want to enable Message level security to secure the end to end traffic (transport security will only secure the content for 1 hop). The default security for netTcpBinding is transport security so you need to change this. In both cases message privacy (encryption), integrity(against tampering) and partial authentication is achieved. NetTcpBinding I believe defaults to Windows authentication - so you will need an account in a domain or actually on the Service machine (if operating in a Workgroup) matching the Windows credentials of the client. Note that you can programmatically change request the credentials from the client and set them programmatically before opening the client proxy if need be. Also enable reliable messaging.
精彩评论