Home > WCF > WCF # 19 – WCF Security

WCF # 19 – WCF Security

Hi Friends,

In every application Security is the most important part of concern.

For Example , When we use an online banking service, we trust that the application providers have done their utmost to prevent abuse, corruption of data,hacking, and exposure of our financial details to others. The same is expected of us as we provide WCF-based services to consumers.

This article will focus on the concepts behind security and the practical means by which services are secured (when necessary) using WCF.Today we will focus on We will begin by introducing the major concepts,

WCF Security Concepts

let’s begin by introducing four major tenets of service security:authentication, authorization, confidentiality, and integrity.

One of the .most fundamental concepts of security is knowing who is knocking on your door. Authentication is the process of establishing a clear identity for an entity,                              for example, by providing evidence such as username and password.

Although this is clearly important for a service to understand of its callers, it is equally important that callers have an assurance that the service being called is the expected service and not an impostor.

WCF provides several options for this mutual authentication by both the service and the caller—for example, certificates and Windows accounts and groups. By using these and other options, as we’ll show throughout this chapter, each side can have firm trust that they are communicating with an expected party.

The next step in .security, after identity has been established, is to determine whether the calling party should be permitted to do what they are requesting. This process is called authorization because the service or resource authorizes a caller to proceed.

Note that you can choose to authorize anonymous users for actions as well, so although authorization is not strictly dependent on authentication, it does normally follow.

Authorization can be performed by custom code in the service, native or custom authorization providers, ASP.NET roles, Windows groups, Active Directory, Authorization Manager, and other mechanisms.

When dealing with sensitive information, there is little use in establishing identity and authorization if the results of a call will be broadcast to anyone who is interested. Confidentiality is the concept of preventing others from reading the information exchanged between a caller and a service.

This is typically accomplished via encryption, and a variety of mechanisms for this exist within WCF.

The final basic concept of security is the assurance that the contents of a message have not been tampered with during transfer between caller and service, and vice versa. This is typically done by digitally signing or generating a signed hash for the contents of the message and having the receiving party validate the signature based on the contents of what it received.

If the computed value does not match the embedded value, the message should be refused.

Note that integrity can be provided even when privacy is not necessary. It may be acceptable to send information in the clear (unencrypted) as long as the receiver can be assured that it is the original data via digital signature verification.

Transport and Message Security     


There are two major classifications of security within WCF; both are related to the security of what is transferred between a service and caller (sometimes called transfer security). The first concept is of protecting data as it is sent across the network, or “on the wire.” This is known as transport security.

The other classification is called message security and is concerned with the protection that each message provides for itself, regardless of the transportation mechanism used.

Transport security provides protection for the data sent, without regard to the contents. A common approach for this is to use Secure Sockets Layer (SSL) for encrypting and signing the contents of the packets sent over HTTPS. There are other transport security options as well, and the choice of options will depend on the particular WCF binding used. In fact, you will
see that many options in WCF are configured to be secure by default, such as with TCP.

The option to use transport and message security is typically specified
in configuration; two basic examples are shown below

    <binding name="TransportSecurity">
      <security mode="Transport">
        <transport clientCredentialType="None"/>
    <binding name="TransportSecurity">
      <security mode="Windows">
        <transport clientCredentialType="None"/>




Categories: WCF
  1. No comments yet.
  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: