Authentication and authorization are key aspects for secure communication between client and server. The service needs to authenticate its callers and correspondingly allow to use allowed operations. Service level authentication is not only thing for secure communication, messages should also be secure so that no tampering can happen. WCF supports variety of authentication mechanism:
None: Anonumous access to service. No authentication of caller.
Windows: Caller provides windows credentials (token or ticket) and service authenticate against windows users.
Username/Password:Caller sends user and password, this credentials validated against database or any credential store.
X509 certificate: Client and service has certification installed already. Service looks up for certificate from caller and authenticate it.
Custom mechanism: developer can develop and implement own authentication mechanism.
Tokens: client and service rely on third party authentication, in this case caller sends token that is authentication in service side.
Besides these authentication mechanism, communication should be secure at communication protocols and messages level as well. I’ll discuss Transfer Security modes here and how WCF support these modes:
Transfer Security Modes
- None: No security at a all. Service will not get any client credentials. High risk for tampering of messages.
- Transport Security: transport via secure communication protocols like Https,TCP,IPC and MSMQ. All communications on channels encrypted in these protocols. It is the simplest way of achieving transfer security, and the most performant option. Its main downside is that it can only guarantee transfer security point-to-point, meaning when the client connects directly to the service. Transport security is typically used only by intranet applications where you have more controlled environment.
- Message Security: In this security, message gets encrypted. It provides privacy and mutual authentication. Encrypted messages can be transported via non secure protocols like http. Message security provides for end-to-end security, regardless of the number of intermediaries involved in transferring the message and regardless of whether or not the transport is secure. The downside of Message security is that it may introduce call latency due to its inherent overhead. Message security is typically used by Internet applications, where the call patterns are less chatty and the transport is not necessarily secure.
- Mixed: Transport Security for message integrity and privacy, it uses message security for security client’s credentials. Very rarely used.
- Both: Transport Security + Message Security to provide more security.
How Transfer Security mapped in WCF?
| WCF Binding | None | Transport Security | Message Security | Mixed | Both |
| basicHttpBinding | yes(default) | yes | yes | yes | No |
| netTcpBinding (TCP) | yes | yes(default) | yes | yes | No |
| netNamedPipeBinding (IPC) | yes | yes(default) | No | No | No |
| WSHttpBinding | yes | yes | yes(default) | No | No |
| NetMsmqBinding | yes | yes(default) | yes | No | yes |
Implementation in WCF
Transfer security controlled by enums in .net. Enum can be passed in constructor of bindings. Only valid Transfer Security will be available enums like netNamedPipeBinding only supports none and transport security so only “None” and “Transport” will be available as options.
BasicHttpSecurityMode:
public enum BasicHttpSecurityMode
{
None,
Transport,
Message,
TransportWithMessageCredential,
TransportCredentialOnly
}
Programmatically Implementation in code;
BasicHttpBinding binding1 = new BasicHttpBinding(BasicHttpSecurityMode.Message);
BasicHttpBinding binding2 = new BasicHttpBinding();
binding2.Security.Mode = BasicHttpSecurityMode.Message;
Configuration in Config File:
- SecurityMode: it is used in netTcpBinding and WSHttpBinding
public enum SecurityMode
{
None,
Transport,
Message,
TransportWithMessageCredential //Mixed
}
Programmatically Implementation in code
var productEndpoint = productHost.AddServiceEndpoint(typeof(IMarketDataProvider),
new NetTcpBinding(SecurityMode.Transport), "net.tcp://localhost:8000/MarketService");
NetNamedPipeSecurityMode: Use for IPC binding (netNamedPipeBinding)
public enum NetNamedPipeSecurityMode
{
None,
Transport
}
var bindingIPC = new NetNamedPipeBinding(NetNamedPipeSecurityMode.Transport);
NetMsmqSecurityMode: Use for MSMQ binding
public enum NetMsmqSecurityMode
{
None,
Transport,
Message,
Both
}
NetMsmqBinding Binding1 = new NetMsmqBinding(NetMsmqSecurityMode.Message);
I’ll cover implementation of different types of authentication in next blog: Something about Security in WCF- II