Post
Ask Question

Implement Security in WCF

Transport Security

When using transport security, the user credentials and claims are passed by using the transport layer. In other words, user credentials are transport-dependent, which allows fewer authentication options compared to message security. Each transport protocol (TCP, IPC, MSMQ, or HTTP) has its own mechanism for passing credentials and handling message protection. The most common approach for this is to use Secure Sockets Layer (SSL) for encrypting and signing the contents of the packets sent over Secure HTTP (HTTPS). Transport security is used to provide point-to-point security between the two endpoints (service and client).

Use transport security in the following scenarios:

  • You are sending a message directly from your application to a WCF service and the message will not be routed through intermediate systems.
  • Both the service and the client are located in an intranet.

Using transport security offers the following advantages:

  • It provides interoperability, meaning that communicating parties do not need to understand WS-Security specifications.
  • It may result in better performance.
  • Hardware accelerators can be used to further improve the performance

Message Security

When using message security, the user credentials and claims are encapsulated in every message using the WS-Security specification to secure messages. This option gives the most flexibility from an authentication perspective. You can use any type of security credentials you want, largely independent of transport, as long as both the client and service agree.

Use message security in the following scenarios:

  • You are sending a message to a WCF service, and the message is likely to be forwarded to other WCF services or may be routed through intermediate systems.
  • Your WCF clients are accessing the WCF service over the Internet and messages may be routed through intermediate systems.

Using message security offers the following advantages:

  • It provides end-to-end security. Because message security directly encrypts and signs the message, having intermediaries does not break the security.
  • It allows partial or selective message encryption and signing, thus improving overall application performance.
  • Message security is transport-independent and therefore can be used with any transport protocol.
  • It supports a wide set of credentials and claims, including the issue token that enables federated security.