Securing WCF Services Using the Windows Identity Foundation (WIF)
by Dominick Baier
If you are a software security geek like me, the world of distributed applications is one of the most exciting places to be. You can encounter a multitude of client types, network and authentication protocols, credential types, and requirements. In other words, you have just the complexity you need to feel like a real expert — or a little lost.
Although, in theory, the Windows Communication Foundation (WCF) has all the features you need to build even the most complex distributed systems, as always, complexity is the biggest enemy of security. That's the reason why Microsoft gave WCF security (and .NET security, in general — but more on that later) a refresh that enables you to build these systems with better abstraction layers and less error-prone code. This refresh is called the Windows Identity Foundation (WIF), and this chapter examines how to use this technology with WCF Simple Object Access Protocol (SOAP) and Representational State Transfer (REST) services.
The sample code used in this chapter, as well as the Thinktecture.IdentityModel library, is part of the code available for download on this book's companion website ( www.wrox.com ). Parts of the code are based on the movie database service described in Chapter 9.
IDENTITY IN .NET APPLICATIONS
Since the first release of the .NET Framework, ...