Technology Corner

Home » DotNet » Something about Security in WCF- I

Something about Security in WCF- I

Enter your email address to follow this blog and receive notifications of new posts by email.

Join 80 other followers

Twitter updates


RSS InfoQ Feeds

  • Article: Q&A on the Book "Humans vs Computers"
    Author Gojko Adzic has released a book, Humans vs Computers in which he tells stories about the impact of inflexible automation, edge cases and software bugs on the lives of real people. He explains the common mistakes built into the systems and provides advice on how to prevent these mistakes from being built into our systems in the first place. By Shane Ha […]
  • Q&A with Michael Coté on Devops Adoption and his Talk at DevOpsDays NZ
    Raf Gemmail talks to Pivotal’s Michael Coté about obstacles to DevOps adoption and his forthcoming talk at DevOpsDays NZ 2017 By Rafiq Gemmail
  • TensorFlow Serving 1.0 Release Detailed at Google I/O
    Google's Noah Fiedel details new programming model for TensorFlow Serving in a stable 1.0 release. Subject matter addresses common challenges with portability, servablility , and reproducibility improvements. By Dylan Raithel
  • First NetBeans Code Drop Lands at Apache
    Oracle has released the first of three NetBeans code drops to the Apache Incubator. By Matt Raible
  • Article: The Top 10 Adages in Continuous Deployment
    On the basis of discussions at the Continuous Deployment Summit, researchers derived 10 adages about continuous-deployment practices. These adages represent a working set of approaches and beliefs that guide current practice and establish a tangible target for empirical validation. By Chris Parnin
  • Podcast: Joshua Kerievsky and Heidi Helfand on High Performance via Psychological Safety
    In this podcast Shane Hastie, Lead Editor for Culture & Methods, spoke to Joshua Kerievsky, CEO of Industrial Logic, and Heidi Helfand, Director of Engineering Excellence at Procore Technologies and author of the book Dynamic Reteaming, about their talk High Performance via Psychological Safety. By Joshua Kerievsky
  • Spotify and Google Release Forseti GCP Security Tools
    Google has opened up Forseti Security, a set open source tools for GCP security, to all GCP users. The project is the result of a collaborative effort from both Spotify and Google, combining what was originally separate work together into a single toolkit. It aims to automate security processes for developers in order for them to develop more freely. By Andr […]
  • Article: Q&A on the Book SAFe Distilled
    The book SAFe Distilled breaks down the complexity of the framework into easily understood explanations and actionable guidance. It’s a resource for acquiring a deep understanding of the Scaled Agile Framework, and how to implement it successfully. By Ben Linders
  • String Interpolation in Entity Framework Raises Concerns
    One of the new features in Entity Framework Core 2 is the ability to automatically convert interpolated strings into parameterized SQL. Though designed to avoid problems with poorly written SQL, it is feared that it may actually lead to more SQL injection attacks. By Jonathan Allen
  • Podcast: Twitter's Yao Yue on Latency, Performance Monitoring, & Caching at Scale
    Yao Yue spent the majority of her career working on caching systems at Twitter. She created a performance team that deals with edge performance outliers often exposed by the enormous scale of Twitter. In this podcast, she discusses standing up the performance team, thoughts on instrumenting applications, and interesting performance issues (and strategies for […]

Authentication and authorization are key aspects for secure communication between client and server. The service needs to authenticate its callers and correspondingly allow to use allowed operations. Service level authentication is not only thing for secure communication, messages should also be secure so that no tampering can happen. WCF supports variety of authentication mechanism:

None: Anonumous access to service. No authentication of caller.

Windows: Caller provides windows credentials (token or ticket) and service authenticate against windows users.

Username/Password:Caller sends user and password, this credentials validated against database or any credential store.

X509 certificate: Client and service has certification installed already. Service looks up for certificate from caller and authenticate it.

Custom mechanism: developer can develop and implement own authentication mechanism.

Tokens: client and service rely on third party authentication, in this case caller sends token that is authentication in service side.

Besides these authentication mechanism, communication should be secure at communication protocols and messages level as well. I’ll discuss Transfer Security modes here and how WCF support these modes:

Transfer Security Modes

  • None: No security at a all. Service will not get any client credentials. High risk for tampering of messages.
  • Transport Security: transport via secure communication protocols like Https,TCP,IPC and MSMQ. All communications on channels encrypted in these protocols. It is the simplest way of achieving transfer security, and the most performant option. Its main downside is that it can only guarantee transfer security point-to-point, meaning when the client connects directly to the service. Transport security is typically used only by intranet applications where you have more controlled environment.
  • Message Security: In this security, message gets encrypted. It provides privacy and mutual authentication. Encrypted messages can be transported via non secure protocols like http. Message security provides for end-to-end security, regardless of the number of intermediaries involved in transferring the message and regardless of whether or not the transport is secure. The downside of Message security is that it may introduce call latency due to its inherent overhead. Message security is typically used by Internet applications, where the call patterns are less chatty and the transport is not necessarily secure.
  • Mixed: Transport Security for message integrity and privacy, it uses message security for security client’s credentials. Very rarely used.
  • Both: Transport Security + Message Security to provide more security.

How Transfer Security mapped in WCF?

WCF Binding None Transport Security Message Security Mixed Both
basicHttpBinding yes(default) yes yes yes No
netTcpBinding (TCP) yes yes(default) yes yes No
netNamedPipeBinding (IPC) yes yes(default) No No No
WSHttpBinding yes yes yes(default) No No
NetMsmqBinding yes yes(default) yes No yes

Implementation in WCF

Transfer security controlled by enums in .net. Enum can be passed in constructor of bindings. Only valid Transfer Security will be available enums like netNamedPipeBinding only supports none and transport security so only “None” and “Transport” will be available as options.


public enum BasicHttpSecurityMode

Programmatically Implementation in code;

BasicHttpBinding binding1 = new BasicHttpBinding(BasicHttpSecurityMode.Message);
BasicHttpBinding binding2 = new BasicHttpBinding();
binding2.Security.Mode = BasicHttpSecurityMode.Message;

Configuration in Config File:

  • SecurityMode: it is  used in netTcpBinding and WSHttpBinding
public enum SecurityMode
TransportWithMessageCredential //Mixed

Programmatically Implementation in code

var productEndpoint = productHost.AddServiceEndpoint(typeof(IMarketDataProvider),
new NetTcpBinding(SecurityMode.Transport), "net.tcp://localhost:8000/MarketService");

NetNamedPipeSecurityMode: Use for IPC binding (netNamedPipeBinding)

public enum NetNamedPipeSecurityMode

var bindingIPC = new NetNamedPipeBinding(NetNamedPipeSecurityMode.Transport);

NetMsmqSecurityMode: Use for MSMQ binding

public enum NetMsmqSecurityMode
NetMsmqBinding Binding1 = new NetMsmqBinding(NetMsmqSecurityMode.Message);


I’ll cover implementation of different types of authentication in next blog: Something about Security in WCF- II



  1. […] Implement windows authentication and security in wcf Service December 15, 2011 Neeraj Kaushik Leave a comment Go to comments This is continuation with previous post on “Security in WCF -I”. […]


  2. chavika says:

    Thank you very much neeraj!


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Blogs I Follow

%d bloggers like this: