Wednesday, May 02, 2012

Securing WCF

Securing a WCF service is quite easy but several methods with different fields of applications exist. This post describes the different available securing mechanisms and how they are set up.

Securing your network service is important because if a service is not secured, every peer on your communication way can read your communication.

Basically two different approaches of securing a service exist:

  • Message security: This approach encrypts the contents of a message, therefore the security is delegated to the protocol. If a well-known and tested standard for the protocol in use is available this approach has the advantage that the encryption is transparent to all peers and no special treatment is required. But not all protocols provide a payload encryption. Developing your own message security scheme is dangerous and requires special security skills. SOAP with the WS-Security extension is an example for a message-security scheme, but the WS-Security extension is not supported by many frameworks, especially it is not supported on Android out of the box.

  • Transport security: Transport layer security is independent of the protocol and is supported by far more applications. A well-known transport security mechanism is SSL/TLS which is used for HTTPS, SSH and many others. It establishes an end-to-end encryption based on X509-Certificates and associated private keys. The disadvantage of this approach is that non-end-to-end connections are not supported. The communication needs to be decrypted and encrypted on every hop.
WCF and Message Security

To enable service security for your service add the following to your binding configuration:

<security mode="Message">
  <message clientCredentialType="Certificate/IssuedToken/None/UserName/Windows" />

For a detailed explanation of the message security tag look at MSDN.

Read more: Codeproject
QR: Inline image 1

Posted via email from Jasper-Net