Tags

I am quite confused about security in WCF, here is the brief summary:

When setting the security mode to TransportWithMessageCredential, the transport determines the actual mechanism that provides the transport-level security. For HTTP, the mechanism is Secure Sockets Layer (SSL) over HTTP (HTTPS); for TCP, it is SSL over TCP or Windows.

If the transport is HTTP (using the WSHttpBinding), SSL over HTTP provides the transport-level security. In that case, you must configure the computer hosting the service with an SSL certificate bound to a port, as shown later in this topic.

If the transport is TCP (using the NetTcpBinding), by default the transport-level security provided is Windows security, or SSL over TCP. When using SSL over TCP, you must specify the certificate using the SetCertificate method, as shown later in this topic.

And the difference between BasicHttpBinding and WsHttpBinding,
If we want to summarize in one sentence, the difference between WsHttpBinding and BasicHttpBinding is that WsHttpBinding supports WS-* specification. WS-* specifications are nothing but standards to extend web service capabilities.

One of the biggest differences you must have noticed is the security aspect. By default, BasicHttpBinding sends data in plain text while WsHttpBinding sends it in encrypted and secured manner. To demonstrate the same, lets make two services, one using BasicHttpBinding and the other using WsHttpBinding and then lets see the security aspect in a more detailed manner.

Windows Communication Foundation (WCF) has two major modes for providing security (Transport and Message) and a third mode (TransportWithMessageCredential) that combines the two.

Message security (End-to-end security) uses the WS-Security specification to secure messages. The specification describes enhancements to SOAP messaging to ensure confidentiality, integrity, and authentication at the SOAP message level (instead of the transport level).

In brief, message security differs from transport security by encapsulating the security credentials and claims with every message along with any message protection (signing or encryption). Applying the security directly to the message by modifying its content allows the secured message to be self-containing with respect to the security aspects. This enables some scenarios that are not possible when transport security is used.

NetNamedPipeBinding is optimized for on-machine communication.

Reference:
http://msdn.microsoft.com/en-us/library/ms733137.aspx

http://www.google.com.au/url?sa=t&source=web&ct=res&cd=2&ved=0CA4QFjAB&url=http%3A%2F%2Fmsdn.microsoft.com%2Fen-us%2Flibrary%2Fms789011.aspx&ei=nCO9S_G-F4-2sgPmqIDxBA&usg=AFQjCNHqpzh8N7NwFO0jLJYPzOKJpgWWcA&sig2=cl8JW4JyIlguXaJR6jSd3g

Advertisements