WCF Security

In this article, we will start with transport and message security understanding. We will then see simple code samples of how to implement transport and message security using WsHTTP bindings. We will also see the differences between ‘BasicHttpBinding’ and ‘WsHttpBinding’ with the help of a simple code. WCF security is a huge topic by itself, but I am sure with this article you will get a quick start of how to go about WCF security.

Core Security Features that WCF addresses?

There are four core security features that WCF addresses:

• Confidentiality: This feature ensures that information does not go in to the wrong hands when it travels from the sender to the receiver.
• Integrity: This feature ensures that the receiver of the message gets the same information that the sender sent without any data tampering.
• Authentication: This feature verifies who the sender is and who the receiver is.
• Authorization: This feature verifies whether the user is authorized to perform the action they are requesting from the application.

Transport level and Message level security?

When we talk about WCF security, there are two aspects. The first is the data and the second is the medium on which the data travels, i.e., the protocol. WCF has the ability to apply security at the transport level (i.e., protocol level) and also at message level (i.e., data).

Transport level security happens at the channel level. Transport level security is the easiest to implement as it happens at the communication level. WCF uses transport protocols like TCP, HTTP, MSMQ, etc., and each of these protocols have their own security mechanisms. One of the common implementations of transport level security is HTTPS. HTTPS is implemented over HTTP protocols with SSL providing the security mechanism. No coding change is required, it’s more about using the existing security mechanism provided by the protocol.

Message level security is implemented with message data itself. Due to this, it is independent of the protocol. One of the common ways of implementing message level security is by encrypting data using some standard encryption algorithm.

For which bindings are transport, message, and mixed mode supported?

Below is a table which shows which mode is supported for each binding. We are not discussing mixed mode. It’s nothing but a combination of transport and mixed modes. For instance, data encrypted and passed over WsHttp using HTTPS is a mixed mode security. Encryption is nothing but message security and HTTPS is a transport mode. In combination, they form mixed mode.

Binding	Transport Mode?	Message Mode?	Mixed Mode?
BasicHttpBinding	Yes	Yes	Yes
WsHttpBinding	Yes	Yes	Yes
WsDualHttpBinding	No	Yes	No
NetTcpBinding	Yes	Yes	Yes
NetNamedPipeBinding	Yes	No	No
NetMsmqBinding	Yes	Yes	No
MsmqIntegrationBinding	Yes	No	No

The scenarios, advantages, and disadvantages of transport and message security?

	Transport	Message
Scenarios when we should be using one of them	When there are no intermediate systems in between, this is the best methodology. If it’s an intranet type of solution, this is the most recommended methodology.	When there are intermediate systems like one more WCF service through which message is routed, then message security is the way to go.
Advantages	Does not need any extra coding as protocol inherent security is used. Performance is better as we can use hardware accelerators to enhance performance. There is a lot of interoperability support and communicating clients do not need to understand WS security as it’s built in the protocol itself.	Provides end to end security as it’s not dependent on the protocol. Any intermediate hop in the network does not affect the application. Supports a wide set of security options as it is not dependent on the protocol. We can also implement custom security.
Disadvantages	As it’s a protocol implemented security, it works only point to point. As security is dependent on protocol, it has limited security support and is bound to the protocol security limitations.	Needs application refactoring to implement security. As every message is encrypted and signed, there are performance issues. Does not support interoperability with old ASMX webservices.

For Transport level Security we have to do:
1- Enable transport level security in the web.config file of the service

This is done using the Security XML tag as shown in the below code snippet.

<bindings>

    <wsHttpBinding>

        <binding name="TransportSecurity">

            <security mode="Transport">

                <transport clientCredentialType="None"/>

            </security>

        </binding>

    </wsHttpBinding>

</bindings>

2- Tie up the binding and specify HTTPS configuration

We need to now tie up the bindings with the end points. So use the bindingConfiguration tag to specify the binding name. We also need to specify the address where the service is hosted. Please note the HTTS in the address tag.

Change mexHttpBinding to mexHttpsBinding in the second end point.

<service name="WCFWSHttps.Service1" behaviorConfiguration="WCFWSHttps.Service1Behavior">

<!-- Service Endpoints -->

<endpoint address="https://localhost/WCFWSHttps/Service1.svc"

  binding="wsHttpBinding" bindingConfiguration="TransportSecurity"

  contract="WCFWSHttps.IService1"/>

<endpoint address="mex" binding="mexHttpsBinding" contract="IMetadataExchange"/>

</service>

In serviceMetadata, we also need to change httpGetEnabled to httpsGetEnabled.

<serviceBehaviors>

........

.........

<serviceMetadata httpsGetEnabled="true"/>

.........

.........

</serviceBehaviors>

3- Make the web application HTTPS enabled

Now the necessary configuration changes are done, it’s time to compile the WCF service project and host it in an IIS application with HTTPS enabled.

Resource: Click here

one more helpfull is here

Thanks

~Suraj K. Mad.