If we use TransportWithMessageCredentials mode , Is SOAP message(
Header and Body) encrypted?
Yes, since with TransportWithMessageCredential
security mode it is transport security which is providing confidentiality and integrity protection for the messages that are transmitted over the wire. Transport security also provides service authentication in this case. For example, with HTTP, Secure Sockets Layer (SSL) is used for encrypting and signing the contents of the packets sent over Secure HTTP (HTTPS).
With TransportWithMessageCredential
security mode, client authentication is provided by means of SOAP message security where the client credential is put directly in the message.
When the SOAP message leaves the client for the service it is encrypted. However, as with transport security it provides point-to-point (not end-to-end) security between the two endpoints (service and client). So if there are intermediary systems between the client and the service, each intermediate point must forward the message over a new secure connection.
Update Per Comments
you said "When the SOAP message leaves the client for the service it
is encrypted' Then it should be end -end security. why it is only
point -to-point.
Transport security is point-to-point because a message is encrypted when it leaves one endpoint and remains so until it reaches the other endpoint of the secure transport where the message is then decrypted. In deployments where the client and server are talking directly to each other, then this provides encryption the whole way through. However, if your service endpoint is going to forward that message onto the intended recipient, then your message is no longer guaranteed to be encrypted from that point onward.
Message security directly encrypts and signs the message so that only the intended recipient can decrypt and read the actual contents of the message. Therefore security is guaranteed between sender and recipient and not just between endpoints. Therefore, message security provides end-to-end security.
Can i conclude TransportWithMessageCredential provide security point
-to-point and message Level security provide End-to-End Security. then Why WCF security Guide is suggesting to use
TransportWithMessageCredential with UserName When we are using WCF
with Windows form client in internet.
Yes, that is correct. TransportWithMessageCredential
security provides point-to-point and Message
security provides end-to-end security. The WCF Security Guide is suggesting to set the client credential to UserName
because this will be used to authenticate the client. In the UserName
case, we have the username and password pair being put directly in the SOAP message. Unless the client provides some sort of credential such as a UserName
or Certificate
to authenticate themselves to the service you will have an anonymous client. An anonymous client means that anyone can access your service since the client is not being authenticated.
If message body is not encrypted with TransportWithMessageCredential
then why Microsoft says TransportWithMessageCredential is a
combination of both Transport and Message security
As with my original answer: The SOAP messages are encrypted and signed by the transport layer (e.g. HTTPS). TransportWithMessageCredential
is a combination of both transport and message security since transport security encrypts and signs the messages as well as authenticates the service to the client and message security is used to authenticate the client to the service.