Here In this post, I’m explaining WCF Security.
The Windows Communication Foundation (WCF) is a secure, reliable and scalable messaging platform.
With WCF, SOAP message can be transmitted over a variety of supported protocols, including named pipes, TCP, HTTP, and MSMQ.
Like any distributed messaging platform, you must establish security policies for protecting messages and for authenticating and authorizing calls.
- Types of Authentication
- Transfer security Mode
- Transport Security protection level
- Message Security Level
Types of Authentication
The WCF Authentication is basically referred to as the verification of the caller who claims of the call the service. Verification of caller will be referring as service authentication.
No authentication:
This Service does not authenticate its caller and it will allow clients to access.
Window authentication:
The Window authentication is the most suitable authentication type in an intranet where client credentials are stored in window accounts and groups.
Into this model, the caller provides windows credential tickets/token to the service authentication.
The Windows credential is the default credential type.
Username /Password:
Explicit usernames and passwords are provided to authenticate the service.
Issue token
The caller and the service can both rely on a secure token service to issue the client a token that service identify and trust.
Custom mechanism:
The WCF allows developers to replace the build-in authentication mechanism by providing the user own protocol and credential type for authentication.
Transfer security Mode:
The WCF offers the following transfer security modes:
Message Security mode:
Into this mode of configuration, the message will get encrypted. Encrypting the message rather than transport enables the services to communicate securely over non-secure transport such as HTTP.
It provides end to end security.
It is mainly used in an internet application.
Transport security mode:
When the system is configured with ‘Transport’ mode, WCF uses a secured communication protocol. The available secure transports are HTTP, TCP, IPC and MSMQ.
Transport security encrypts all communication on the channel and provides integrity, privacy, and mutual authentication. It provides point to point security.
Mixed transfer security mode:
It uses transport security for message integrity, privacy and service authentication and it uses message security for securing client credentials.
Both security mode:
This mode both the transfer security mode uses both transport security and Message security. So the message is secured using Message security and then it is transferred to the service using secure transport.
Example:
<webHttpBinding>
<bindings>
<webHttpBinding>
<binding name ="TransportSecurity">
<security mode="None/Transport/TransportCredentialOnly">
</security>
</binding>
</webHttpBinding>
</bindings>
</webHttpBinding>
Example for wsHttpBinding
<wsHttpBinding>
<binding name ="TransportSecurity">
<security mode="None/Message/Transport/TransportWithMessageCredential">
</security>
</binding>
</wsHttpBinding>
Transport Security protection level
In WCF, transport security depends on the binding and subsequent transport being used. Each protocol (TCP, HTTP, MSMQ, NamePipes) has its own mechanism for passing credentials and handling message protection.
Example:
<bindings>
<basicHttpBinding>
<binding name ="TransportSecurity">
<security mode="Transport">
<transport clientCredentialType=" None/ Basic/ Digest/ Ntlm/ Windows/ Certificate/ InheritedFromHost"></transport>
</security>
</binding>
</basicHttpBinding>
</bindings>
Message Level Security:
Message level security is independent of the transport protocol. Message level security makes use of the WS-Security specification to secure message and ensure confidentially integrity, and authentication at the SOAP message level –not at the transport level.
Example:
<bindings>
<basicHttpBinding>
<binding name ="TransportSecurity">
<security mode="Message">
<message clientCredentialType=" UserName/ Certificate"></message>
</security>
</binding>
</basicHttpBinding>
</bindings>
Leave Comment