共用方式為


WCF Hello World, Part 3: Enabling Security

Over the last two days we've looked at building a simple client and server that directly use the channel model.  You can check out both the code and what gets sent over the network in those articles.  I concluded yesterday with the question, what if you don't want people to be able to simple read your messages off of the network?  Well, the answer is that we can provide confidentiality through our security mechanisms.

Security is orthogonal to most of the channel model.  In fact, we can conceal the messages going between our client and server just by adding an additional binding element.  If you're using one of the standard bindings, most already have security enabled by default.  Let's look at how this changes our binding section

 WindowsStreamSecurityBindingElement security = new WindowsStreamSecurityBindingElement();
security.ProtectionLevel = ProtectionLevel.EncryptAndSign;
TextMessageEncodingBindingElement encoder = new TextMessageEncodingBindingElement();
TcpTransportBindingElement transport = new TcpTransportBindingElement();
transport.TransferMode = TransferMode.Streamed;
CustomBinding binding = new CustomBinding(security, encoder, transport);

Remember, the code for handling channels and messages is not being changed.  We're simply placing a binding element for security into our channel stack.  Let's look at what goes over the network now.  If you're running across two machines, you'll need matching accounts on both ends for this to work.

 IP 192.168.0.3.3765 > 192.168.0.2.5555: tcp 36
   0x0000:  4500 004c 25dc 4000 8006 537a c0a8 0003  E..L%.@...Sz....
  0x0010:  c0a8 0002 0eb5 15b3 3766 407a 3d49 e40c  ........7f@z=I..
  0x0020:  5018 ffff 51ee 0000 0001 0001 0102 1b6e  P...Q..........n
  0x0030:  6574 2e74 6370 3a2f 2f31 3932 2e31 3638  et.tcp://192.168
  0x0040:  2e30 2e32 3a35 3535 352f 0303            .0.2:5555/..
IP 192.168.0.3.3765 > 192.168.0.2.5555: tcp 23
 0x0000:  4500 003f 25dd 4000 8006 5386 c0a8 0003  E..?%.@...S.....
  0x0010:  c0a8 0002 0eb5 15b3 3766 409e 3d49 e40c  ........7f@.=I..
  0x0020:  5018 ffff e281 0000 0915 6170 706c 6963  P.........applic
  0x0030:  6174 696f 6e2f 6e65 676f 7469 6174 65    ation/negotiate

At this point the two sides perform the NTLM tango. Not pictured.

 IP 192.168.0.3.3765 > 192.168.0.2.5555: tcp 280
 0x0000:  4500 0140 25e5 4000 8006 527d c0a8 0003  E..@%.@...R}....
  0x0010:  c0a8 0002 0eb5 15b3 3766 41c1 3d49 e4dc  ........7fA.=I..
  0x0020:  5018 ff2f 9246 0000 1401 0000 0100 0000  P../.F..........
  0x0030:  b42e 39bf d71a 9504 0200 0000 9308 ced0  ..9.............
  0x0040:  3fa4 7604 1849 abc8 ed2b 4322 f60b e7f1  ?.v..I...+C"....
  0x0050:  71af b8d8 b0d3 e5c7 64e5 cd50 d636 dc77  q.......d..P.6.w
  0x0060:  671f 2252 c8c4 0901 ebb1 63fd 5f5d c107  g."R......c._]..
  0x0070:  fb66 ff30 5630 bd52 e28e 86b2 7444 e2ec  .f.0V0.R....tD..
  0x0080:  6498 1d8e e3e4 cc89 dee2 0041 8113 d766  d..........A...f
  0x0090:  1e78 8acd 9475 b467 6726 2767 b4ca 7371  .x...u.gg&'g..sq
  0x00a0:  cb95 8255 9523 4fa6 3137 c4cd f822 d399  ...U.#O.17..."..
  0x00b0:  8b7a 80e5 2d37 b601 4f94 d4b5 1965 457c  .z..-7..O....eE|
  0x00c0:  15c0 0dfa 95ec 6949 4d4e 89c2 b6d5 c727  ......iIMN.....'
  0x00d0:  38ca ec72 9906 d5b3 bd85 cf4a 90e6 d42a  8..r.......J...*
  0x00e0:  aee1 5f47 bbb7 e64c c639 24e1 ba97 fa38  .._G...L.9$....8
  0x00f0:  3e92 d5e2 e7d7 942d 04fd c04e 8239 d7a9  >......-...N.9..
   0x0100:  d658 5dd6 1c26 17a0 bbca 3c04 4768 4a9a  .X]..&....<.GhJ.
   0x0110:  647a 57ed 53e6 bfc6 3ee4 00a0 649e 6e2f  dzW.S...>...d.n/
   0x0120:  71a9 1651 3990 615b fe32 35ed 7c5a ab4c  q..Q9.a[.25.|Z.L
  0x0130:  a103 65b4 e221 7b39 abde 2303 4d88 f612  ..e..!{9..#.M...
IP 192.168.0.2.5555 > 192.168.0.3.3765: tcp 217
    0x0000:  4500 0101 3507 4000 8006 439a c0a8 0002  E...5.@...C.....
  0x0010:  c0a8 0003 15b3 0eb5 3d49 e4f1 3766 42da  ........=I..7fB.
  0x0020:  5018 fda0 8249 0000 d500 0000 0100 0000  P....I..........
  0x0030:  a46c ae8f 2337 5721 0200 0000 68c0 0e39  .l..#7W!....h..9
  0x0040:  c4b0 017a c110 210a f5f8 815f e5e0 49e0  ...z..!...._..I.
  0x0050:  51fe eab2 0c85 0e2e ab51 4048 541f 090a  Q........Q@HT...
  0x0060:  f7a2 ac7d 44b6 818f d3ac 8359 c9c8 7f9b  ...}D......Y....
  0x0070:  7fc0 0f60 74ce 1e00 8501 b537 2c95 8041  ...`t......7,..A
  0x0080:  e74a b409 4756 757d ec74 6fbe 53e5 a908  .J..GVu}.to.S...
  0x0090:  66cf a5cb f3ae b097 8eb0 bd7f 0fe6 be79  f..............y
  0x00a0:  2076 9438 3024 78ee 1beb b5b8 2f5b a339  .v.80$x...../[.9
  0x00b0:  bfd6 63f8 0d54 28f8 d219 7c9a 1246 ea11  ..c..T(...|..F..
  0x00c0:  0408 b04f 0410 37ad bf54 6b6a 5886 f707  ...O..7..TkjX...
  0x00d0:  c14b 193b 3153 0644 5613 bdc6 7199 e219  .K.;1S.DV...q...
  0x00e0:  4e76 b6d2 6050 f8f5 1a6f 4945 36e5 030d  Nv..`P...oIE6...
  0x00f0:  6b56 5572 dc05 947a bcb4 d638 9a79 b12c  kVUr...z...8.y.,
  0x0100:  68                                       h

You'll just have to believe me that those two segments contain the same messages that we saw yesterday.  The whole point after all is that we didn't want people to be able to read the messages on the wire.  You can see that the sizes of the messages match up though, with an additional 20 bytes of overhead.  Try modifying the client and server with the new binding to prove that the programs really still work exactly the same except for what appears on the network.

Next time: How to: Enabling Streaming

Comments

  • Anonymous
    March 30, 2006
    Writing a server that directly uses the channel model is not much more difficult than writing a client...