What are the security implications of establishSecurityContext=“False” and negotiateServiceCredential=“False”

泪湿孤枕 提交于 2019-12-11 08:56:11

问题


We've set establishSecurityContext="False" and negotiateServiceCredential="False" on a wsHttpBinding. In a setup where every single web service call involves connecting and disconnecting, this reduces the number of requests per web service call from 5 to 1, providing a significant performance improvement.

The client has been configured to know the server identity via the identity node:

<endpoint address="..." behaviorConfiguration="..." binding="wsHttpBinding" bindingConfiguration="..." contract="..." name="...">
  <identity>
    <certificate encodedValue="..." />
  </identity>
</endpoint>

What are the security implications of these settings? Do they reduce security in any way?


回答1:


The scenario described doesn't actually change the security of a connection established between the client and the server. It merely changes how the security is specified and how the credential is specified.

establishSecurityContext is a higher-level mechanism that facilitates specifying a security context using a token, rather than specifying the lower-level details directly.

negotiateServiceCredential specifies whether the credential to be used may be negotiated as opposed to specified explicitly.

The overall framework documentation for this is here.

In a setting where a client makes and disposes connections for every call and where it is known that client and server can meet the specified requirements (i.e., there is no need for negotiation), the settings described by the OP are a reasonable way to reduce the overhead to establish a connection without changing the security policies that actually get applied to the connections.




回答2:


NegotiateServiceCredential, true if service credential is obtained through a process of negotiation; otherwise, false. The default is true.
https://docs.microsoft.com/en-us/dotnet/api/system.servicemodel.messagesecurityoverhttp.negotiateservicecredential?redirectedfrom=MSDN&view=netframework-4.7.2#System_ServiceModel_MessageSecurityOverHttp_NegotiateServiceCredential
EstablishSecurityContext. True: If a secure conversation is established using SecurityContextToken. otherwise, false, the default is false.
https://docs.microsoft.com/en-us/previous-versions/dotnet/netframework-2.0/aa715023(v=msdn.10)



来源:https://stackoverflow.com/questions/52990153/what-are-the-security-implications-of-establishsecuritycontext-false-and-negot

标签
易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!