Thursday, February 02, 2017

WCF Security, When/How to Use, Advantages and Disadvantages

Transport Security
Message Security
When using transport security, the user credentials and claims are passed by using the transport layer. In other words, user credentials are transport-dependent, which allows fewer authentication options compared to message security. Each transport protocol (TCP, IPC, MSMQ, or HTTP) has its own mechanism for passing credentials and handling message protection. The most common approach for this is to use Secure Sockets Layer (SSL) for encrypting and signing the contents of the packets sent over Secure HTTP (HTTPS).
When using message security, the user credentials and claims are encapsulated in every message using the WS-Security specification to secure messages. This option gives the most flexibility from an authentication perspective. You can use any type of security credentials you want, largely independent of transport, as long as both the client and service agree.
  • You are sending a message directly from your application to a WCF service and the message will not be routed through intermediate systems.
  • Both the service and the client are located in an intranet.
  • You are sending a message to a WCF service, and the message is likely to be forwarded to other WCF services or may be routed through intermediate systems.
  • Your WCF clients are accessing the WCF service over the Internet and messages may be routed through intermediate systems.
  • It provides interoperability, meaning that communicating parties do not need to understand WS-Security specifications.
  • It may result in better performance.
  • Hardware accelerators can be used to further improve the performance.
  • It provides end-to-end security. Because message security directly encrypts and signs the message, having intermediaries does not break the security.
  • It allows partial or selective message encryption and signing, thus improving overall application performance.
  • Message security is transport-independent and therefore can be used with any transport protocol.
  • It supports a wide set of credentials and claims, including the issue token that enables federated security.
Dis Advantage
  • Security is applied on a point-to-point basis, with no provision for multiple hops or routing through intermediate application nodes.
  • It supports a limited set of credentials and claims compared to message security.
  • It is transport-dependent upon the underlying platform, transport mechanism, and security service provider, such as NTLM or Kerberos.
Dis Advantage
  • This option may reduce performance compared to transport security because each individual message is encrypted and signed.
  • It does not support interoperability with older ASMX clients, as it requires both the client and service to support WS-Security specifications.
<binding name="netTcpTransportBinding">
   <security mode="Transport">
              <Transport clientCredentialType="Windows" />
<binding name="wsHttpMessageBinding">
  <security mode="Message">
              <Message clientCredentialType="UserName" />