6 steps to implement DUAL security on WCF using User name + SSL


In the article we will try to apply DUAL security using transport plus message on WCF services. So we will first try to understand the basic concepts of WCF security i.e. transport and message. Once we understand the concept we will move step by step in to how to implement SSL and user name security on WCF services.

6 steps to implement DUAL security on WCF using User name + SSL


Introduction and Goal

Basics Transport and
Message level security



Step 1:- Customize ‘WsHttp’ Bindings with security mode and credential type


Step 2:- Create your
custom validator class


Step 3:- Define runtime behavior


Step 4:- Define SSL for your
WCF service


Step 5 :- Consume WCF Service

Step 6: Run your WCF service

Source code


Introduction and Goal


In the article we will try to apply DUAL security using transport plus
message on WCF services. So we will first try to understand the basic concepts
of WCF security i.e. transport and message. Once we understand the concept we
will move step by step in to how to implement SSL and user name security on WCF
services.





Watch my 500 videos on various topics like design patterns,WCF, WWF , WPF, LINQ
,Silverlight,UML, Sharepoint ,Azure,VSTS and lot more @ here
Enjoy my free ebook which covers major .NET related topics like
WCF,WPF,WWF,Ajax,Core .NET,SQL Server, Architecture and lot more Download from
here




1


Basics Transport and
Message level security



On a broader basis WCF supports two kinds of security, transport level and
message level security. Transport means the medium on which WCF data travels
while message means the actual data packets sent by WCF.



Transport medium can be protocols like TCP, HTTP, MSMQ etc. These transport
mediums by themself provide security features like HTTP can have SSL security
(HTTPS). WCF has the capability of leveraging underlying transport security
features on WCF service calls.



Message level security is provided in the data itself using WS-Security. In
other words it’s independent of the transport protocol. Some examples of message
level security are messages encrypted using encryption algorithm, messages
encrypted using X509 certificate etc, messages protected using username etc.



WCF gives you an option to either just use message level security in stand
alone, transport level in stand alone or combination of both. If you are
interested in how to do message level security and transport security in a
standalone manner .


2


The best security is the combination of transport and message. In this
article we will see step by step how to implement dual security using ‘SSL’ plus
message security using ‘Username’ using ‘WsHttpBinding’.


3




Step 1:- Customize ‘WsHttp’ Bindings with security mode and credential type



The first step is to customize your ‘Wshttp’ binding with proper security
mode and credential type. There are three options in security mode ‘Transport’,
‘Message’ and ‘TransportWithMessageCredential’.



As we are implementing dual security we need to use the last one i.e.
‘TransportWithMessageCredential’ where the transport security is provided by SSL
and message security is provided using ‘UserName and password’.


4


The second thing we need to provide is the credential type. There are five
different credential type none, windows, username, certificate and issued token.
Credential type defines how the credentials will be passed over the transport
layer. For the current instance we will select ‘UserName’.



So summing up we will provide security mode as ‘TransportWithMessageCredential’
and message security will be provided by ‘UserName’.



So create a WCF service using the WCF service template and in ‘web.config’
provide the security mode and credential type as shown in the below code
snippet.


<bindings>

<wsHttpBinding>

<binding name="Binding1">
<!-- UsernameToken over Transport Security -->

<security mode="TransportWithMessageCredential" >
<message clientCredentialType="UserName"/>

</security>

</binding>


Attachments

  • Source Code (38470-22626-WCFWithUserNameHttp.zip)
  • Related Articles

    3 ways to do WCF instance management (Per call, Per session and Single)

    Many times we would like to control the way WCF service objects are instantiated on WCF server. You would like to control how long the WCF instances should be residing on the server. WCF framework has provided 3 ways by which we can control the WCF instance creation. In this article we will first try to understand those 3 ways of WCF service instance control with simple code samples of how to achieve them. Finally we will compare when to use under what situations.

    More articles: DUAL security WCF WCF security SSL WCF

    Comments

    No responses found. Be the first to comment...


  • Do not include your name, "with regards" etc in the comment. Write detailed comment, relevant to the topic.
  • No HTML formatting and links to other web sites are allowed.
  • This is a strictly moderated site. Absolutely no spam allowed.
  • Name:
    Email: