WCF Tutorial
www.Learn2Expert.net A new ASP.Net MVC 4, SSIS, Interview Q/A tutorial - Visit - www.Learn2Expert.net
Skip Navigation LinksHomeWCF SecurityTransfer Security Mode No of Views: 75252
WCF Tutorial | Transfer Security Mode

Transfer Security Mode

When we talk about the client server secured communication, we have consider the three aspects to transfer security

  1. Message integrity – it ensures that message used in communication is not tampered by any malicious party.
  2. Message privacy – It ensures confidentiality of the msessage so that no third part can even read the message.
  3. Transfer security – it ensures that only authenticated user can able to read the content of the message.

WCF supports five different modes of transfer security to accomplish above three aspects.

No transfer security mode:

This ensure that no security is applied while communication between server and client

    <wsHttpBinding >
       <binding name="WCFSecurityExample">
         <security mode="None"/>
       </binding>
    </wsHttpBinding>
Transport security mode:

When system is configured with ‘Transport’ mode, WCF uses secured communication protocol. The available secure transports are HTTPS, TCP, IPC and MSMQ. Transport security encrypts all communication on the channel and provides integrity, privacy and mutual authentication. It provides point-to-point security.

One of main disadvantage is that it can only guarantee transfer security point-to-point, meaning it secure only at channel level. Message inside the channel will not get secured. In case of distributed communication, multiple intermediaries between service and client will not be secure.

It is mainly used in intranet application

    <wsHttpBinding >
      <binding name="WCFSecurityExample">
         <security mode="Transport"/>
      </binding>
    </wsHttpBinding>
Message security mode:

In this mode of configuration, message will get encrypted. Encrypting the message rather than transport enables the service to communicate securely over non secure transport such as HTTP. It provides end-to-end security.

One of the disadvantages of message security is that it may introduce call latency due to its inherent overhead.

It is mainly used in internet application.

  <wsHttpBinding >
    <binding name="WCFSecurityExample">
         <security mode="Message"/>
    </binding>
  </wsHttpBinding>
Mixed transfer security mode:

It uses Transport security for message integrity, privacy and service authentication and it uses Message security for securing client credential.

One of disadvantage of the mixed mode is that it will secure only point-to-point as nature of Transport security.

    <wsHttpBinding >
      <binding name="WCFSecurityExample">
         <security mode="TransportWithMessageCredential"/>
      </binding>
    </wsHttpBinding>
Both security modes:

This mode Both transfer security mode uses both Transport security and Message security. So message is secured using Message security and then it is transferred to the service using secure transport. This mode will maximize the security but overload the performance.

    <netMsmqBinding >
      <binding name="WCFSecurityExample">
         <security mode="Both"/>
      </binding>
    </netMsmqBinding>
Name None Transport Message Mixed Both
BasicHttpBinding Yes(default) Yes Yes Yes No
NetTcpBinding Yes Yes(default) Yes Yes No
NetNamedPipeBinding Yes Yes(default) No No No
WsHttpBinding Yes Yes Yes(default) Yes No
WsDualHttpBinding Yes No Yes(default) No No
NetMsmqHttpBinding Yes Yes Yes(default) No Yes

Tips!

  • Always create the service with Interface->Implementation format, mention the contract in Interface.
  • Define the service in Class library and refer the class library in Host project. Don’t use service class in host project.
  • Change the instance mode to per call as default.
  • Always catch exception using try/catch block and throw exception using FaultException < T >.
  • Logging and Include exception should be enable while compiling the project in debug mode. While in production deployment disable the logging and Include exception details.