What security methods wcf provide? how to implement

+1 vote
asked Jun 12, 2013 in WCF by anonymous

I am new to WCF. Help me to understand what kind of security methods WCF provides and how to implement. I heard that, it is easy to implement security in WCF but, how does it work internally? Which security method is best?


1 Answer

+1 vote
answered Jun 12, 2013 by administrator (315 points)
selected Jun 21, 2013 by Aadhira
Best answer

WCF is a very good platform to implement service oriented architecture. By default, WCF provides secured transactions based on the Binding you choose. Either it would be Transport level security or message level security.

Transport level security:
This will send the message in a secured transport. So, the message will be sent safe between the source and target. Well know transport level security is using SSL. i.e https connection. But there is a drawback in this mode of security. Because, if your message is going to travel in a distribute layer design, all the way it should be supporting secured transport. Otherwise, the message will not be safe. Thats why this method is suitable for Point to point services. That means, there should not be any other layer in between. Advantage of this method is, performance is good and proven technology for a long time.

Message Level Security

In this method, even though the transport is secured or not, the message will be safe because, the message itself encrypted. So, this method of security can be used even if there are multiple layers between source and destination. Drawback on this mode would be performance. Because the message has to be encrypted before it sent in the network and then it has to be decrypted in the destination.

Mixed mode:
This is a combination of both Transport level and message level security. This mode is also knows as Transport with message credential. In this mode, Transport Security is used to send the message in a secured mode. But one thing to notice is that, the message encrypted when it comes in the transport. So, If, some one hack in between, the message will be in plain text. So, to solve that issue, message security will be used in the mixed mode. In this mixed mode, message security will not encrypt the whole message, instead, it will encrypt only the credential and other information whatever we send in the header section.

NetTcpBinding - By default Transport Level Security
WsHttpBinding - By default Message Level Security.

Simple, all tcp binding by default transport level security.
Only the basicHttpBinding is not secured by default. But we can easily implement security on that as well.

Below is the sample configuration section to turn on or off the Security

  <binding name="TransportSecurityBinding">
    <security mode="Transport">
      <transport clientCredentialType="windows"/>

In the above configuration, Transport level security is used with Windows credential. So, client will be sent with windows credential through the message header.

Note: Not all type of credentials are supported by all types of binding.

Your answer


Your name to display (optional):
Privacy: Your email address will only be used for sending these notifications.
Anti-spam verification:
To avoid this verification in future, please log in or register.
site design / logo / content © 2013 - 2015 pinfaq.com