CODEWITHSUNDEEP
.netwcf
SO Vigilante
SO Vigilante

Reputation: 43

What is the best way to secure a WCF service?

What is the best way to secure a WCF service? Should I add a header to service calls and have a message inspector on the client that verifies the header?

I need to make sure that the person provides the correct user name and password to use the service and that everything is encrypted. It is over the internet and will be using HTTP binding.

Upvotes: 3

Views: 4268

Answers (3)

paparazzo
paparazzo

Reputation: 45096

If you are limited to HTTP then it will take a performance hit but more portable.
But I think you can encrypt and secure of HTTP with WS-Security.

Transport and Message Security Modes

Two main mechanisms are used to implement transfer security in WCF:
transport security mode and message security mode.

Transport security mode uses a transport-level protocol, such as HTTPS, to achieve transfer security. Transport mode has the advantage of being widely adopted, available on many platforms, and less computationally complex. However, it has the disadvantage of securing messages only from point-to-point.

Message security mode, on the other hand, uses WS-Security (and other specifications) to implement transfer security. Because the message security is applied directly to the SOAP messages and is contained inside the SOAP envelopes, together with the application data, it has the advantage of being transport protocol-independent, more extensible, and ensuring end-to-end security (versus point-to-point); it has the disadvantage of being several times slower than transport security mode because it has to deal with the XML nature of the SOAP messages.

Selecting a Credential Type

How to: Authenticate with a User Name and Password

Upvotes: 1

Garrett Vlieger
Garrett Vlieger

Reputation: 9494

You should take a look at this MSDN article, which sums up the options.

Much like a typical web application, you have several ways to secure the site:

  1. Transport security (SSL)
  2. Message security (message security header)
  3. Transport with message credentials (combined)

The answer depends on what level of security you need to use for your application. In many cases, transport security may suffice.

Upvotes: 2

HackyStack
HackyStack

Reputation: 5157

That depends on what you mean by "secure". You can start with SSL (https), and progress to authentication techniques if you want to authenticate clients. You really need to elaborate on your goals...

Upvotes: 2

Related Questions