Monday, December 14, 2009

Using message credentials when calling a SOAP service from Silverlight 4

Silverlight 4 beta introduces the possibility to pass user credential (username/password) to SOAP services via the request headers. This is important when you enable a SOAP service for crossdomain access.

Shortly summarized, this is how it works:
  1. Add an https binding to the service and configure this binding to use transport security with message credentials.
  2. Use SLsvcutil.exe to generate the SL proxy.
  3. Add the username and password to the ClientCredentials.UserName property of the proxy.
  4. Remember to allow https request headers in the crossdomain policy file.
Example:







The question arises if this way of working is safe enough in true business environments.
When we look at a network trace we can notice that the username/password information is protected because of we are using https. When we enable the WCF message tracing on the server, we see that the values of the username and password have been silently removed from the trace.




To see what is really in the headers of the SOAP message, I added a message inspector to the WCF service. This inspector logs the content of the headers to a trace file. This is the content of the trace file:



Notice that the values for the username and the password are visible in plain text.
The problem is that anyone (with bad intentions) who has access to the configuration file of the service can add such an inspector to the service.
This combined with the fact that server credentials are negociated via the transport protocol (https), you can find yourself in a possible unsafe situation.

Using full WS bindings with username/password is a whole different story. In this case the server must present a well known certificate that is specified in the client configuration. This way you are sure to be talking to the right party. Secondly the username/password is encrypted and can only be decrypted by the receiving service.
The same message inspection on a full WS service gives following trace file:



Conclusion: Although you can use username/password authentication to SOAP services in SL4, be aware that it uses TransportWithMessageCredentials under the covers and that the username/password information is not encrypted at message level. This opens possibilities for "man in the middle" and "phishing" attacts to reveal usernames and passwords.

No comments: