Those smart guys in Microsoft Patterns and Practices have released the BETA version of their WCF Security guide. The guide, Improving Web Services Security: Scenarios and Implementation Guidance for WCF, is our Microsoft playbook for Windows Communication Foundation (WCF /"Indigo".) It shows you how to build secure services using WCF. It's a compendium of proven practices, product team recommendations, and insights from the field. It includes end-to-end application scenarios (Web applications / Smart Clients), as well as step-by-step How Tos. Most importantly it frames out the Web services security space and shows you how to be effective with WCF.
patterns & practices Improving Web Services Security: Scenarios and Implementation Guidance for WCF
(Forewords by Nicholas Allen and Rockford Lhotka.)
Download the Guide
· Guide Download: http://www.codeplex.com/WCFSecurityGuide
Contents at a Glance
· Part I - Security Fundamentals for Web Services gives you a quick overview of fundamental security concepts as they relate to services, service-oriented design, and Service-Oriented Architecture (SOA.)
· Part II - WCF Security Fundamentals gives you a firm foundation in key WCF security concepts, with special attention on authentication, authorization, and secure communication, as well as WCF binding configurations.
· Part III - Intranet Application Scenarios shows you a set of end-to-end Intranet application scenarios that you can use to jumpstart your application architecture designs with a focus on authentication, authorization, and communication from a WCF perspective for your intranet.
· Part IV - Internet Application Scenarios shows a set of end-to-end Internet application scenarios that you can use to jumpstart your application architecture design for the Internet.
Chapters
· Ch 01 - Security Fundamentals for Web Services
· Ch 02 - Threats and Countermeasures for Web Services
· Ch 03 - Security Design Guidelines for Web Services
· Ch 04 - WCF Security Fundamentals
· Ch 05 - Authentication, Authorization and Identities in WCF
· Ch 06 - Impersonation and Delegation in WCF
· Ch 07 - Message and Transport Security in WCF
· Ch 08 - WCF Bindings Fundamentals
· Ch 09 - Intranet – Web to Remote WCF Using Transport Security (Original Caller, TCP)
· Ch 10 - Intranet – Web to Remote WCF Using Transport Security (Trusted Subsystem,HTTP)
· Ch 11 - Intranet – Web to Remote WCF Using Transport Security (Trusted Subsystem TCP)
· Ch 12 - Intranet – Windows Forms to Remote WCF Using Transport Security (Original Caller, TCP)
· Ch 13 - Internet – WCF and ASMX Client to Remote WCF Using Transport Security (Trusted Subsystem, HTTP)
· Ch 14 - Internet – Web to Remote WCF Using Transport Security (Trusted Subsystem, TCP)
· Ch 15 - Internet – Windows Forms Client to Remote WCF Using Message Security (Original Caller, HTTP)
Reference
· WCF Security Checklist
· WCF Security Guidelines
· WCF Security Practices at a Glance
· WCF Questions and Answers (Q&A)
· How Tos
· WCF Security Resources
External Contributors/Reviewers
· Andy Eunson; Anil John; Anu Rajendra; Brandon Bohling; Chaitanya Bijwe; Daniel Root; David P. Romig, Sr.; Dennis Rea; Kevin Lam; Michele Bustamante; Parameswaran Vaideeswaran; Rockford Lotka; Rudolph Araujo; Santosh Bejugam
Microsoft Contributors / Reviewers
· Alik Levin; Brandon Blazer; Brent Schmaltz; Curt Smith; David Bradley; Dmitri Ossipov; Don Smith; Jan Alexander; Jason Hogg; Jason Pang; John Steer; Marc Goodner; Mark Fussell; Martin Gudgin; Martin Petersen-Frey; Mike de Libero; Mohammad Al-Sabt; Nobuyuki Akama; Ralph Squillace; Richard Lewis; Rick Saling; Rohit Sharma; Scott Mason; Sidd Shenoy; Sidney Higa; Stuart Kwan; Suwat Chitphakdibodin; T.R. Vishwanath; Todd Kutzke; Todd West; Vijay Gajjala; Vittorio Bertocci; Wenlong Dong; Yann Christensen; Yavor Georgiev
More Information
· Guide site: http://www.codeplex.com/WCFSecurityGuide
· Project Site (Online KB): http://www.codeplex.com/WCFSecurity
· Project updates at J.D. Meier’s blog: http://blogs.msdn.com/jmeier