Technology Corner

Home » DotNet » Something about Security in WCF- I

Something about Security in WCF- I

Enter your email address to follow this blog and receive notifications of new posts by email.

Join 80 other followers

Twitter updates


RSS InfoQ Feeds

  • First Pedestrian Killed by Self-Driving Car
    A pedestrian was killed on Sunday evening in Tempe, Arizona by a self-driving car operated by Uber, the BBC reports. The firm confirmed that the vehicle was traveling in autonomous mode with a safety driver, the only vehicle occupant, behind the wheel during the crash. By Roland Meertens
  • Microsoft Embeds Artificial Intelligence in Windows 10 Update
    The next Windows 10 update opens the way for the integration of artificial intelligence functionalities within Windows applications. Developers will be able to integrate pre-trained deep-learning models converted to the ONNX framework in their Windows applications. By Alexis Perrier
  • Ankyra Presents “Escape”, a Release Automation Tool that Manages Platforms as Logical Components
    Over the last ten years there has been increased focus on infrastructure as code (IaC) tooling, primarily driven by the rise of Infrastructure as a Service (IaaS) and API-driven infrastructure. InfoQ discussed the challenges of homogenising this tooling with Bart Spaans, founder of Ankyra, who is an expert in the domain of infrastructure and release engineer […]
  • Article: Servlet and Reactive Stacks in Spring Framework 5
    Spring Framework 5 supports both traditional servlet-based and reactive web stacks, in the same server application, reflecting a major shift towards asynchronous, non-blocking concurrency in applications. In this article Spring committer Rossen Stoyanchev explores and contrasts both stacks, and explains the range of available choices, and provides guidance f […]
  • Presentation: Elm and Game Development, a Perfect Fit
    Paulo Diniz discusses the Elm architecture, how to use it as functional reactive programming for web game development. By Paulo Diniz
  • Google Releases “Skaffold”, a Tool That Facilitates Continuous Development with Kubernetes
    Google has released Skaffold, an open source command line tool that facilitates continuous development for Kubernetes applications. Skaffold is entering an increasingly crowded space of Kubernetes development automation tooling, including Azure’s Draft, Datawire’s Forge and Weavework’s Flux. By Daniel Bryant
  • Q&A with Marisa Fagen on Security Championship
    Security lead Marisa Fagen recently spoke at QConLondon 2018 about upskilling and elevating engineering team members into the role of Security Champions. We catch up with Fagen and report on her efforts to address contention caused by a scarcity of security professionals. By Rafiq Gemmail
  • GitHub Licensed Aims to Make it Easier to Comply with OSS Licenses
    GitHub Licensed is an open-source tool that aims to simplify the chore of ensuring license soundness and documentation for all dependencies of a GitHub project. By Sergio De Simone
  • Sauce Labs Adds Analytics and Extended Debugging to Continuous Testing Cloud
    At their recent user conference SauceCon, Sauce Labs introduced new capabilities for its continuous testing cloud including test analytics, featuring a dashboard that analyses test results and exposes common failures by browser and operating system, including Android and iOS. By Helen Beal
  • JavaFX and the Future of Java Client Technologies
    Oracle will remove JavaFX, Applets and Java Web Start from the JDK after Java SE 8. Swing and AWT will remain. By Tim Hodkinson

Authentication and authorization are key aspects for secure communication between client and server. The service needs to authenticate its callers and correspondingly allow to use allowed operations. Service level authentication is not only thing for secure communication, messages should also be secure so that no tampering can happen. WCF supports variety of authentication mechanism:

None: Anonumous access to service. No authentication of caller.

Windows: Caller provides windows credentials (token or ticket) and service authenticate against windows users.

Username/Password:Caller sends user and password, this credentials validated against database or any credential store.

X509 certificate: Client and service has certification installed already. Service looks up for certificate from caller and authenticate it.

Custom mechanism: developer can develop and implement own authentication mechanism.

Tokens: client and service rely on third party authentication, in this case caller sends token that is authentication in service side.

Besides these authentication mechanism, communication should be secure at communication protocols and messages level as well. I’ll discuss Transfer Security modes here and how WCF support these modes:

Transfer Security Modes

  • None: No security at a all. Service will not get any client credentials. High risk for tampering of messages.
  • Transport Security: transport via secure communication protocols like Https,TCP,IPC and MSMQ. All communications on channels encrypted in these protocols. It is the simplest way of achieving transfer security, and the most performant option. Its main downside is that it can only guarantee transfer security point-to-point, meaning when the client connects directly to the service. Transport security is typically used only by intranet applications where you have more controlled environment.
  • Message Security: In this security, message gets encrypted. It provides privacy and mutual authentication. Encrypted messages can be transported via non secure protocols like http. Message security provides for end-to-end security, regardless of the number of intermediaries involved in transferring the message and regardless of whether or not the transport is secure. The downside of Message security is that it may introduce call latency due to its inherent overhead. Message security is typically used by Internet applications, where the call patterns are less chatty and the transport is not necessarily secure.
  • Mixed: Transport Security for message integrity and privacy, it uses message security for security client’s credentials. Very rarely used.
  • Both: Transport Security + Message Security to provide more security.

How Transfer Security mapped in WCF?

WCF Binding None Transport Security Message Security Mixed Both
basicHttpBinding yes(default) yes yes yes No
netTcpBinding (TCP) yes yes(default) yes yes No
netNamedPipeBinding (IPC) yes yes(default) No No No
WSHttpBinding yes yes yes(default) No No
NetMsmqBinding yes yes(default) yes No yes

Implementation in WCF

Transfer security controlled by enums in .net. Enum can be passed in constructor of bindings. Only valid Transfer Security will be available enums like netNamedPipeBinding only supports none and transport security so only “None” and “Transport” will be available as options.


public enum BasicHttpSecurityMode

Programmatically Implementation in code;

BasicHttpBinding binding1 = new BasicHttpBinding(BasicHttpSecurityMode.Message);
BasicHttpBinding binding2 = new BasicHttpBinding();
binding2.Security.Mode = BasicHttpSecurityMode.Message;

Configuration in Config File:

  • SecurityMode: it is  used in netTcpBinding and WSHttpBinding
public enum SecurityMode
TransportWithMessageCredential //Mixed

Programmatically Implementation in code

var productEndpoint = productHost.AddServiceEndpoint(typeof(IMarketDataProvider),
new NetTcpBinding(SecurityMode.Transport), "net.tcp://localhost:8000/MarketService");

NetNamedPipeSecurityMode: Use for IPC binding (netNamedPipeBinding)

public enum NetNamedPipeSecurityMode

var bindingIPC = new NetNamedPipeBinding(NetNamedPipeSecurityMode.Transport);

NetMsmqSecurityMode: Use for MSMQ binding

public enum NetMsmqSecurityMode
NetMsmqBinding Binding1 = new NetMsmqBinding(NetMsmqSecurityMode.Message);


I’ll cover implementation of different types of authentication in next blog: Something about Security in WCF- II


  1. […] Implement windows authentication and security in wcf Service December 15, 2011 Neeraj Kaushik Leave a comment Go to comments This is continuation with previous post on “Security in WCF -I”. […]


  2. chavika says:

    Thank you very much neeraj!


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Blogs I Follow

%d bloggers like this: