Home > DeveloperSection > Articles > WCF Security

WCF Security


.NET WCF  Security  Wcf Security 
Ratings:
0 Comment(s)
 1482  View(s)
Rate this:

WCF Security

In this post, I’m explaining WCF Security.

Windows Communication Foundation (WCF) is a secure, reliable and scalable messaging platform. With WCF, SOAP message can be transmitted over a variety of supported protocols, including named pipes, TCP, HTTP and MSMQ. Like any distributed messaging platform, you must establish security policies for protecting messages and for authenticating and authorizing calls.

1.       Types of Authentication

2.       Transfer security Mode

3.       Transport Security protection level

4.       Message Security Level

 

Types of Authentication

WCF Authentication is basically referred to the verification of the caller who claims of the call the service. Verification of caller will be referring as service authentication.

No authentication:

Service does not authenticate its caller and it will allow clients to access.

Window authentication:

Window authentication is the most suitable authentication type in intranet where client credentials are stored in window accounts and groups. In this mode caller provides windows credential tickets/token to the service authentication.  

Window credential is default credential type.

 

UserName /Password:

Explicit username and password is provided to authenticate the service.

Issue token

The caller and the service can both rely on a secure token service to issue the client a token that service identify and trust.

Custom mechanism:

WCF allows developers to replace the build-in authentication mechanism by providing user own protocol and credential type for authentication.

Transfer security Mode:

WCF offers the following transfer security modes:

Message Security mode:

In this mode of configuration, message will get encrypted. Encrypting the message rather than transport enables the services to communicate securely over non secure transport such as HTTP. It provides end to end security.

It is mainly used in internet application.

Transport security mode:

When system is configured with ‘Transport’ mode, WCF uses secured communication protocol. The available secure transports are HTTP, TCP, IPC and MSMQ. Transport security encrypts all communication on the channel and provides integrity, privacy and mutual authentication. It provides point to point security.

Mixed transfer security mode:

It use transport security for message integrity, privacy and service authentication and its uses message security for securing client credential.

Both security mode:

This mode both transfer security mode uses both transport security and Message security. So message is secured using Message security and then it is transferred to the service using secure transport.

Example:

<webHttpBinding>

<bindings>

        <webHttpBinding>

          <binding name ="TransportSecurity">

            <security mode="None/Transport/TransportCredentialOnly">

            </security>

              </binding>

        </webHttpBinding>

</bindings>

</webHttpBinding>

 

Example for wsHttpBinding

<wsHttpBinding>

          <binding name ="TransportSecurity">

            <security mode="None/Message/Transport/TransportWithMessageCredential">

             </security>

            </binding>

        </wsHttpBinding>

Transport Security protection level

In WCF, transport security depends on the binding and subsequent transport being used. Each protocol (TCP, HTTP, MSMQ, NamePipes) has its own mechanism for passing credentials and handling message protection.

Example:

     <bindings>

        <basicHttpBinding>

          <binding name ="TransportSecurity">

            <security mode="Transport">

              <transport clientCredentialType=" None/ Basic/ Digest/ Ntlm/ Windows/ Certificate/ InheritedFromHost"></transport>

            </security>

          </binding>

        </basicHttpBinding>

      </bindings>

Message Level Security:

Message level security is independent of the transport protocol. Message level security makes use of the WS-Security specification to secure message and ensure confidentially, integrity, and  authentication at the SOAP message level –not at  the transport level.

 

Example:

<bindings>

        <basicHttpBinding>

          <binding name ="TransportSecurity">

            <security mode="Message">

              <message clientCredentialType=" UserName/ Certificate"></message>

            </security>

          </binding>

        </basicHttpBinding>

      </bindings>


Don't want to miss updates? Please click the below button!

Follow MindStick