WCF Transport & Message level Security

1
votes

i am new in wcf and looking for basic help. i heard that security can be give in wcf at two level. that is transport & message level.

i like to know what does it means that transport level security & message level security. what is the difference between transport level security & message level security and when which one is preferred.

how do i understand that security given at which level?

i got two config entry

<bindings>
    <wsHttpBinding>
        <binding name="TransportSecurity">
            <security mode="Transport">
                <transport clientCredentialType="None"/>
            </security>
        </binding>
    </wsHttpBinding>
</bindings>

<bindings>
<wsHttpBinding>
<binding name="wsHttpEndpointBinding">
<security>
<message clientCredentialType="Certificate" />
</security>
</binding>
</wsHttpBinding>
</bindings>

just see the above two config xml and tell me why there is no word used like message but there is word use called transport ?

sometime mode is used for security tag and some time nothing has been used for security tag. mode can be message instead of transport?

please help with discussion. thanks

1
wcfsecurity
i just do not understand the above two xml config that what they trying to do? - Thomas
The first set the transport security for you http to none so it is not HTTPS. The second sets the message security ONLY to certificate authentication. So you would need to set the client certificate on your client credentials to allow you to communicate with the service. - dmportella

1 Answers

3
votes

In WCF the two security models as you presented effect two different things you can secure the transport (tcp or http) or the message (the protocol).

Transport security is depended on the binding selected but provides you the ability to secure you transport in the case of wsHttpBinding you can use SSL. Transport security provide a limited selection of authentication like basic, certificate, digest, windows, and ntlm but there are more and they re entirely depended on the transport.

Message security on the other hand it provides you the ability to go full end-to-end security (with transport security), increased flexibility like secure only parts of a message, it support multiple transports and various credentials and claims.

There is also a third type of security mode called TransportWithMessageCredential which incorporate both.

Transport security has the following advantages:

  • Does not require that the communicating parties understand XML-level security concepts. This can improve the interoperability, for example, when HTTPS is used to secure the communication.
  • Generally improved performance.
  • Hardware accelerators are available.
  • Streaming is possible.

Transport security has the following disadvantages:

  • Hop-to-hop only.
  • Limited and inextensible set of credentials.
  • Transport-dependent.

Message security has the following disadvantages:

  • Performance
  • Cannot use message streaming.
  • Requires implementation of XML-level security mechanisms and support for WS-Security specification. This might affect the interoperability.

My suggestion would be for you to visit the Developer Network security section for WCF

There are numerous examples there and plenty of help online too.

I hope this explains things for you if you need further details just let us know.