wcf

WCF Security

WCF Security

Security is a critical piece of any programming technology or framework for implementing service - oriented applications

WCF has been built from the ground up for providing the necessary security infrastructure at the message and service level.

In the following sections, you see how to use many of the available security settings in WCF, and some common deployment scenarios.

For message protection, WCF supports the two traditional security models, transport security and message security.

The bindings, in addition to specifying the communication protocol and encoding for the services, will also allow you to confi gure the message protection settings and the authentication schema.

Default Security Settings in WCF:

BINDING SETTINGS
WsHttpBinding Message Security with Windows Authentication
BasicHttpBinding No Security
WsFederationHttpBinding Message Security with Federated Authentication
NetTcpBinding Transport Security with Windows Authenticatio
NetNamedPipeBinding Transport Security with Windows Authentication
NetMsmqBinding Transport Security with Windows Authentication

consider following example:

 <wsHttpBinding >
   <binding name=”UsernameBinding” >
    <security mode=”Message” >
      <message clientCredentialType=”UserName”/ >
    </security >
   </binding >
 </wsHttpBinding >

In this example, the service has been confi gured with message security and the username security token profi le. The rest of the security settings for the binding take the default values.

Security Mode

The security mode setting determines two fundamental security aspects for any service: the security model for message protection and the supported client authentication schema.

Security MODE Description
None The service is available for anyone, and the messages are not protected as they go through the transport. When this mode is used, the service is vulnerable to any kind of attack.
Transport Uses the transport security model for authenticating clients and protecting the messages. This mode provides the advantages and disadvantages discussed in transport security.
Message Uses the message security model for authenticating clients and protecting the messages. This mode provides the advantages and disadvantages discussed in message security.
Both Uses the transport security and message security models at the same time for authenticating the service consumers and protecting the messages. This mode is only supported by the MSMQ bindings and requires the same credentials at both levels.
TransportWithMessageCredentials The message protection is provided by transport, and the credentials for authenticating the service consumers travel as part of the message. This mode provides the flexibility of using any of the credentials or token types supported in message authentication while the service authentication and message protection is performed at transport level.
TransportCredentialOnly Uses transport security for authenticating clients The service is not authenticated, and the messages,including the client credentials, go as plain text through the transport. This security mode can be useful forscenarios where the kind of information transmitted between the client and the service is not sensitive, although the credentials also get exposed to anyone.

Configure the WsHttpBinding to use transport security with Basic Authentication

<bindings >
  <wsHttpBinding >
   <binding name="mybinding" >
    <security mode="Transport" >
     <transport clientCredentialType="Basic"/ >
    </security >
   </binding >
  </wsHttpBinding >
</bindings >

This modified text is an extract of the original Stack Overflow Documentation created by the contributors and released under CC BY-SA 3.0 This website is not affiliated with Stack Overflow