| description | title | ms.date | dev_langs | ms.topic | ||
|---|---|---|---|---|---|---|
Learn more about: Walkthrough: Creating Custom Client and Service Credentials |
Walkthrough: Creating Custom Client and Service Credentials |
03/30/2017 |
|
how-to |
This topic shows how to implement custom client and service credentials and how to use custom credentials from application code.
The xref:System.ServiceModel.Description.ClientCredentials and xref:System.ServiceModel.Description.ServiceCredentials classes are the main entry points to the Windows Communication Foundation (WCF) security extensibility. These credentials classes provide the APIs that enable application code to set credentials information and to convert credential types into security tokens. (Security tokens are the form used to transmit credential information inside SOAP messages.) The responsibilities of these credentials classes can be divided into two areas:
-
Provide the APIs for applications to set credentials information.
-
Perform as a factory for xref:System.IdentityModel.Selectors.SecurityTokenManager implementations.
The default implementations provided in WCF support the system-provided credential types and create a security token manager that is capable of handling those credentials types.
There are multiple reasons for customizing either client or service credential classes. Foremost is the requirement to change the default WCF security behavior with regard to handling system-provided credential types, especially for the following reasons:
-
Changes that are not possible using other extensibility points.
-
Adding new credential types.
-
Adding new custom security token types.
This topic describes how to implement custom client and service credentials and how to use them from application code.
Creating a custom credentials class is only the first step, because the reason for customizing credentials is to change WCF behavior regarding credentials provisioning, security token serialization, or authentication. Other topics in this section describe how to create custom serializers and authenticators. In this regard, creating custom credential class is the first topic in the series. Subsequent actions (creating custom serializers and authenticators) can be done only after creating custom credentials. Additional topics that build upon this topic include:
-
Define a new class derived from the xref:System.ServiceModel.Description.ClientCredentials class.
-
Optional. Add new methods or properties for new credential types. If you do not add new credential types, skip this step. The following example adds a
CreditCardNumberproperty. -
Override the xref:System.ServiceModel.Security.SecurityCredentialsManager.CreateSecurityTokenManager%2A method. This method is automatically called by WCF security infrastructure when the custom client credential is used. This method is responsible for creating and returning an instance of an implementation of the xref:System.IdentityModel.Selectors.SecurityTokenManager class.
[!IMPORTANT] It is important to note that the xref:System.ServiceModel.Security.SecurityCredentialsManager.CreateSecurityTokenManager%2A method is overridden to create a custom security token manager. The security token manager, derived from xref:System.ServiceModel.ClientCredentialsSecurityTokenManager, must return a custom security token provider, derived from xref:System.IdentityModel.Selectors.SecurityTokenProvider, to create the actual security token. If you do not follow this pattern for creating security tokens, your application may function incorrectly when xref:System.ServiceModel.ChannelFactory objects are cached (which is the default behavior for WCF client proxies), potentially resulting in an elevation of privilege attack. The custom credential object is cached as part of the xref:System.ServiceModel.ChannelFactory. However, the custom xref:System.IdentityModel.Selectors.SecurityTokenManager is created on every invocation, which mitigates the security threat as long as the token creation logic is placed in the xref:System.IdentityModel.Selectors.SecurityTokenManager.
-
Override the xref:System.ServiceModel.Description.ClientCredentials.CloneCore%2A method.
[!code-csharpc_CustomCredentials#1] [!code-vbc_CustomCredentials#1]
-
Define a new class derived from xref:System.ServiceModel.ClientCredentialsSecurityTokenManager.
-
Optional. Override the xref:System.IdentityModel.Selectors.SecurityTokenManager.CreateSecurityTokenProvider%28System.IdentityModel.Selectors.SecurityTokenRequirement%29 method if a custom xref:System.IdentityModel.Selectors.SecurityTokenProvider implementation must be created. For more information about custom security token providers, see How to: Create a Custom Security Token Provider.
-
Optional. Override the xref:System.IdentityModel.Selectors.SecurityTokenManager.CreateSecurityTokenAuthenticator%28System.IdentityModel.Selectors.SecurityTokenRequirement%2CSystem.IdentityModel.Selectors.SecurityTokenResolver%40%29 method if a custom xref:System.IdentityModel.Selectors.SecurityTokenAuthenticator implementation must be created. For more information about custom security token authenticators, see How to: Create a Custom Security Token Authenticator.
-
Optional. Override the xref:System.IdentityModel.Selectors.SecurityTokenManager.CreateSecurityTokenSerializer%2A method if a custom xref:System.IdentityModel.Selectors.SecurityTokenSerializer must be created. For more information about custom security tokens and custom security token serializers, see How to: Create a Custom Token.
[!code-csharpc_CustomCredentials#2] [!code-vbc_CustomCredentials#2]
-
Either create an instance of the generated client that represents the service interface, or create an instance of the xref:System.ServiceModel.ChannelFactory pointing to a service you want to communicate with.
-
Remove the system-provided client credentials behavior from the xref:System.ServiceModel.Description.ServiceEndpoint.Behaviors%2A collection, which can be accessed through the xref:System.ServiceModel.ChannelFactory.Endpoint%2A property.
-
Create a new instance of a custom client credentials class and add it to the xref:System.ServiceModel.Description.ServiceEndpoint.Behaviors%2A collection, which can be accessed through the xref:System.ServiceModel.ChannelFactory.Endpoint%2A property.
[!code-csharpc_CustomCredentials#3] [!code-vbc_CustomCredentials#3]
The previous procedure shows how to use client credentials from application code. WCF credentials can also be configured using the application configuration file. Using application configuration is often preferable to hard-coding because it enables modification of application parameters without having to modify the source, recompiling, and redeployment.
The next procedure describes how to provide support for configuration of custom credentials.
-
Define a new class derived from xref:System.ServiceModel.Configuration.ClientCredentialsElement.
-
Optional. Add properties for all additional configuration parameters that you want to expose through application configuration. The example below adds one property named
CreditCardNumber. -
Override the xref:System.ServiceModel.Configuration.BehaviorExtensionElement.BehaviorType%2A property to return the type of the custom client credentials class created with the configuration element.
-
Override the xref:System.ServiceModel.Configuration.BehaviorExtensionElement.CreateBehavior%2A method. The method is responsible for creating and returning an instance of the custom credential class based on the settings loaded from the configuration file. Call the base xref:System.ServiceModel.Configuration.ClientCredentialsElement.ApplyConfiguration%28System.ServiceModel.Description.ClientCredentials%29 method from this method to retrieve the system-provided credentials settings loaded into your custom client credentials instance.
-
Optional. If you added additional properties in step 2, you need to override the xref:System.Configuration.ConfigurationElement.Properties%2A property in order to register your additional configuration settings for the configuration framework to recognize them. Combine your properties with the base class properties to allow the system-provided settings to be configured through this custom client credentials configuration element.
[!code-csharpc_CustomCredentials#7] [!code-vbc_CustomCredentials#7]
Once you have the configuration handler class, it can be integrated into the WCF configuration framework. That enables the custom client credentials to be used in the client endpoint behavior elements, as shown in the next procedure.
To register and use a custom client credentials configuration handler in the application configuration
-
Add an <
extensions> element and a <behaviorExtensions> element to the configuration file. -
Add an <
add> element to the <behaviorExtensions> element and set thenameattribute to an appropriate value. -
Set the
typeattribute to the fully-qualified type name. Also include the assembly name and other assembly attributes.<system.serviceModel> <extensions> <behaviorExtensions> <add name="myClientCredentials" type="Microsoft.ServiceModel.Samples.MyClientCredentialsConfigHandler, CustomCredentials, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" /> </behaviorExtensions> </extensions> </system.serviceModel>
-
After registering your configuration handler, the custom credentials element can be used inside the same configuration file instead of the system-provided <
clientCredentials> element. You can use both the system-provided properties and any new properties that you have added to your configuration handler implementation. The following example sets the value of a custom property using thecreditCardNumberattribute.<behaviors> <endpointBehaviors> <behavior name="myClientCredentialsBehavior"> <myClientCredentials creditCardNumber="123-123-123"/> </behavior> </endpointBehaviors> </behaviors>
-
Define a new class derived from xref:System.ServiceModel.Description.ServiceCredentials.
-
Optional. Add new properties to provide APIs for new credential values that are being added. If you do not add new credential values, skip this step. The following example adds an
AdditionalCertificateproperty. -
Override the xref:System.ServiceModel.Security.SecurityCredentialsManager.CreateSecurityTokenManager%2A method. This method is automatically called by the WCF infrastructure when the custom client credential is used. The method is responsible for creating and returning an instance of an implementation of the xref:System.IdentityModel.Selectors.SecurityTokenManager class (described in the next procedure).
-
Optional. Override the xref:System.ServiceModel.Description.ServiceCredentials.CloneCore%2A method. This is required only if adding new properties or internal fields to the custom client credentials implementation.
[!code-csharpc_CustomCredentials#4] [!code-vbc_CustomCredentials#4]
-
Define a new class derived from the xref:System.ServiceModel.Security.ServiceCredentialsSecurityTokenManager class.
-
Optional. Override the xref:System.IdentityModel.Selectors.SecurityTokenManager.CreateSecurityTokenProvider%2A method if a custom xref:System.IdentityModel.Selectors.SecurityTokenProvider implementation must be created. For more information about custom security token providers, see How to: Create a Custom Security Token Provider.
-
Optional. Override the xref:System.IdentityModel.Selectors.SecurityTokenManager.CreateSecurityTokenAuthenticator%2A method if a custom xref:System.IdentityModel.Selectors.SecurityTokenAuthenticator implementation must be created. For more information about custom security token authenticators, see How to: Create a Custom Security Token Authenticator topic.
-
Optional. Override the xref:System.IdentityModel.Selectors.SecurityTokenManager.CreateSecurityTokenSerializer%28System.IdentityModel.Selectors.SecurityTokenVersion%29 method if a custom xref:System.IdentityModel.Selectors.SecurityTokenSerializer must be created. For more information about custom security tokens and custom security token serializers, see How to: Create a Custom Token.
[!code-csharpc_CustomCredentials#5] [!code-vbc_CustomCredentials#5]
-
Create an instance of the xref:System.ServiceModel.ServiceHost.
-
Remove the system-provided service credentials behavior from the xref:System.ServiceModel.Description.ServiceDescription.Behaviors%2A collection.
-
Create a new instance of the custom service credentials class and add it to the xref:System.ServiceModel.Description.ServiceDescription.Behaviors%2A collection.
[!code-csharpc_CustomCredentials#6] [!code-vbc_CustomCredentials#6]
Add support for configuration using the steps described previously in the procedures "To create a configuration handler for custom client credentials" and "To register and use a custom client credentials configuration handler in the application configuration." The only difference is to use the xref:System.ServiceModel.Configuration.ServiceCredentialsElement class instead of the xref:System.ServiceModel.Configuration.ClientCredentialsElement class as a base class for the configuration handler. The custom service credential element can then be used wherever the system-provided <serviceCredentials> element is used.
- xref:System.ServiceModel.Description.ClientCredentials
- xref:System.ServiceModel.Description.ServiceCredentials
- xref:System.ServiceModel.Security.SecurityCredentialsManager
- xref:System.IdentityModel.Selectors.SecurityTokenManager
- xref:System.ServiceModel.Configuration.ClientCredentialsElement
- xref:System.ServiceModel.Configuration.ServiceCredentialsElement
- How to: Create a Custom Security Token Provider
- How to: Create a Custom Security Token Authenticator
- How to: Create a Custom Token