WCF Security

Other topics

WCF Security

Security is a critical piece of any programming technology or framework for implementing service - oriented applications

WCF has been built from the ground up for providing the necessary security infrastructure at the message and service level.

In the following sections, you see how to use many of the available security settings in WCF, and some common deployment scenarios.

For message protection, WCF supports the two traditional security models, transport security and message security.

The bindings, in addition to specifying the communication protocol and encoding for the services, will also allow you to confi gure the message protection settings and the authentication schema.

Default Security Settings in WCF:

BINDINGSETTINGS
WsHttpBindingMessage Security with Windows Authentication
BasicHttpBindingNo Security
WsFederationHttpBindingMessage Security with Federated Authentication
NetTcpBindingTransport Security with Windows Authenticatio
NetNamedPipeBindingTransport Security with Windows Authentication
NetMsmqBindingTransport Security with Windows Authentication

consider following example:

 <wsHttpBinding >
   <binding name=”UsernameBinding” >
    <security mode=”Message” >
      <message clientCredentialType=”UserName”/ >
    </security >
   </binding >
 </wsHttpBinding >

In this example, the service has been confi gured with message security and the username security token profi le. The rest of the security settings for the binding take the default values.

Security Mode

The security mode setting determines two fundamental security aspects for any service: the security model for message protection and the supported client authentication schema.

Security MODEDescription
NoneThe service is available for anyone, and the messages are not protected as they go through the transport. When this mode is used, the service is vulnerable to any kind of attack.
TransportUses the transport security model for authenticating clients and protecting the messages. This mode provides the advantages and disadvantages discussed in transport security.
MessageUses the message security model for authenticating clients and protecting the messages. This mode provides the advantages and disadvantages discussed in message security.
BothUses the transport security and message security models at the same time for authenticating the service consumers and protecting the messages. This mode is only supported by the MSMQ bindings and requires the same credentials at both levels.
TransportWithMessageCredentialsThe message protection is provided by transport, and the credentials for authenticating the service consumers travel as part of the message. This mode provides the flexibility of using any of the credentials or token types supported in message authentication while the service authentication and message protection is performed at transport level.
TransportCredentialOnlyUses transport security for authenticating clients The service is not authenticated, and the messages,including the client credentials, go as plain text through the transport. This security mode can be useful forscenarios where the kind of information transmitted between the client and the service is not sensitive, although the credentials also get exposed to anyone.

Configure the WsHttpBinding to use transport security with Basic Authentication

<bindings >
  <wsHttpBinding >
   <binding name="mybinding" >
    <security mode="Transport" >
     <transport clientCredentialType="Basic"/ >
    </security >
   </binding >
  </wsHttpBinding >
</bindings >

Contributors

Topic Id: 6021

Example Ids: 21038,21039

This site is not affiliated with any of the contributors.