Enabling LogReceiverService Security

[Gabriel Espinoza]

Hello Everybody,

I've been learning about NLog for a week now and I absolutely love it <3, thank you all for the hard work.

I have to make a centralized log repository and I decided to mount a WCF service implementing LogReceiverService. I followed this topic where I found a working exaple, (thank you pogorman and his bitbucket-working-example). Finally I was able to mount a WCF Service through wsHttpBinding (you can see my source code here).

For the record, when consuming the service, you need to add this config to your app.config or web.config

 <system.serviceModel>

    <bindings>

      <wsHttpBinding>

        <binding name="Logger_ILogReceiverServer">

          <security mode="None"/>

        </binding>

      </wsHttpBinding>

    </bindings>

    <client>

      <endpoint address="http://localhost:55021/Logger.svc" binding="wsHttpBinding" bindingConfiguration="Logger_ILogReceiverServer" contract="NLog.LogReceiverService.ILogReceiverClient" name="Logger_ILogReceiverServer"/>

    </client>

  </system.serviceModel>

and this as target in your NLog.config

<target xsi:type="LogReceiverService"

        name="RemoteWcfLogger"

        endpointConfigurationName="Logger_ILogReceiverServer"

        endpointAddress="http://localhost:55021/Logger.svc"

        useBinaryEncoding="True"

        clientId="TestApplication"

        includeEventProperties="True">

</target>

Now I would like to add some security to this WCF Service, expose it through HTTPS and maybe add an Authentication Token, the problem is: I have no idea on how to achieve that. Have someone faced this problem before? Any Idea on how should I proceed to implement such a feature?

In advance, thanks a lot :)

[Gabriel Espinoza]

Maybe I should clarify, I do know how to add a token to a WCF Service, it's just I can't picture where to program the logic to authenticate the service reference... To add a token authentication to WCF just follow this guide

As you can see, I don't have a clue how to add this code lines without a service reference:

static void Main()
{
     ...
     client.ClientCredentials.UserNamePassword.UserName = username;
     client.ClientCredentials.UserNamePassword.Password = password;
     ...
}

Again, in advance, thanks a lot :)

[Kim Christensen]

I'll have to take a look at this, but I'm not an expert in WCF. Please let me know if you figure this out.

[Gabriel Espinoza]

Hello Kim, thank you for your answer.

Let me tell you I was able to configure the desired behavior :)

First we configure the server as follows:

The configuration of System.ServiceModel for the web.config of the WCFService is:

  <system.serviceModel>

    <services>

      <service name="Your.Namespace.Path.To.Your.Service" behaviorConfiguration="SecureBehavior">

        <endpoint binding="wsHttpBinding" bindingConfiguration="SecureBinding" contract="NLog.LogReceiverService.ILogReceiverServer"/>

        <endpoint binding="mexHttpBinding" contract="IMetadataExchange" address="mex"/>

        <host>

          <baseAddresses>

            <add baseAddress="https://your_secure_domain.com/servicePath"/>

          </baseAddresses>

        </host>

      </service>

    </services>

    <behaviors>

      <serviceBehaviors>

        <behavior name="SecureBehavior">

          <serviceDebug includeExceptionDetailInFaults="true"/>

          <serviceMetadata httpsGetEnabled="true"/>

          <serviceCredentials>

            <!--You must set your certificate configuration to make this example work-->

            <serviceCertificate findValue="0726d1969a5c8564e0636f9eec83f92e" storeLocation="LocalMachine" storeName="My" x509FindType="FindBySerialNumber"/>

            <userNameAuthentication userNamePasswordValidationMode="Custom" customUserNamePasswordValidatorType="AssamblyOf.YourCustom.UsernameValidator.UsernameValidator, AssamblyOf.YourCustom.UsernameValidator"/>

          </serviceCredentials>

        </behavior>

      </serviceBehaviors>

    </behaviors>

    <bindings>

      <wsHttpBinding>

        <binding name="SecureBinding" closeTimeout="00:00:20" openTimeout="00:00:20" receiveTimeout="00:00:20" sendTimeout="00:00:20">

          <security mode="TransportWithMessageCredential">

            <message clientCredentialType="UserName"/>

            <transport clientCredentialType="None"/>

          </security>

        </binding>

      </wsHttpBinding>

    </bindings>

    <serviceHostingEnvironment aspNetCompatibilityEnabled="true" />

  </system.serviceModel>

The CustomUserNameValidator

public class UsernameValidator : UserNamePasswordValidator

{

    private const string UserName = "your_username_here";

    private const string Password = "your_password_here";

    public override void Validate(string userName, string password)

    {

        // validate arguments

        if (string.IsNullOrEmpty(userName))

            throw new ArgumentNullException("userName");

        if (string.IsNullOrEmpty(password))

            throw new ArgumentNullException("password");

        //

        // Nombre de usuario y contraseñas hardcodeados por seguridad

        //

        if (!userName.Equals(UserName) || !password.Equals(Password))

            throw new SecurityTokenException("Nombre de usuario o contraseña no válidos para consumir este servicio");

    }

}

then we go to the Client configuration

First, create a inherited class from LogReceiverWebServiceTarget and I override the method CreateWcfLogReceiverClient, then in that method add the credentials.

// we assume that this class is created in NLog.CustomExtendedService namespace

[Target("LogReceiverSecureService")]

public class LogReceiverSecureService : NLog.Targets.LogReceiverWebServiceTarget

{

    /// <summary>

    /// Gets or sets the UserName of the service when it's authentication is set to UserName

    /// </summary>

    /// <value>The name of the endpoint configuration.</value>

    public string ServiceUsername { get; set; } 

    /// <summary>

    /// Gets or sets de Password of the service when it's authentication is set to UserName

    /// </summary>

    public string ServicePassword { get; set; }

    /// <summary>

    /// Creates a new instance of WcfLogReceiverClient.

    /// 

    /// We make override over this method to allow the authentication

    /// </summary>

    /// <returns></returns>

    protected override NLog.LogReceiverService.WcfLogReceiverClient CreateWcfLogReceiverClient()

    {

        var client = base.CreateWcfLogReceiverClient();

        if (client.ClientCredentials != null)

        {

            //

            // You could use the config file configuration (this example) or you could hard-code it (if you do not want to expose the credentials)

            //

            client.ClientCredentials.UserName.UserName = this.ServiceUsername;

            client.ClientCredentials.UserName.Password = this.ServicePassword;

        }

        return client;

    }

}

Then we set up the application's config file

<system.serviceModel>

    <bindings>

      <wsHttpBinding>

        <binding name="WSHttpBinding_ILogReceiverServer">

          <security mode="TransportWithMessageCredential">

            <message clientCredentialType="UserName" />

            <transport clientCredentialType="None" />

          </security>

        </binding>

      </wsHttpBinding>

    </bindings>

    <client>

      <endpoint address="https://your_secure_domain.com/servicePath/Logger.svc" binding="wsHttpBinding"

        bindingConfiguration="WSHttpBinding_ILogReceiverServer" contract="NLog.LogReceiverService.ILogReceiverClient"

        name="WSHttpBinding_ILogReceiverServer" />

    </client>

    <serviceHostingEnvironment aspNetCompatibilityEnabled="true" />

  </system.serviceModel>

Finally we configure the NLog.config

  <extensions>

    <add assembly="NLog.CustomExtendedService"  /> <!--Assuming the custom Target was added to this assambly -->

  </extensions>

  <targets>

    <target xsi:type="LogReceiverSecureService"

        name="RemoteWcfLogger"

        endpointConfigurationName="WSHttpBinding_ILogReceiverServer"

        endpointAddress="https://your_secure_domain.com/servicePath/Logger.svc"

        ServiceUsername="your_username_here"

        ServicePassword="your_password_here"

        useBinaryEncoding="True"

        clientId="YourApplicationNameOrId"

        includeEventProperties="True">

    </target>

  </targets>

If you want, I can send you a working example, but you will need a SSL certificate installed to test it (Fortunately, I have a development server with SSL where I was able to try this)

[Kim Christensen]

Glad you figured it out, and thanks for the example.