WCF Security Overview
Before looking at specific application scenarios, you should understand how to approach securing your WCF services. Both bindings and behaviors influence aspects of security related to authentication, authorization, and message protection (also called transfer security). Many of the security settings are exposed as part of a service security policy that can be consumed by clients. The sections to follow will introduce you to security policy and explain the fundamental security features of WCF that influence that policy.
Security Policy
Security requirements for a WCF service must be well-defined so that client applications can respect the policy and provide the required credentials and message protection expected by the service, and so that services can process incoming messages and handle credentials according to consistent requirements. These requirements collectively comprise the security policy for a service.
Security policy is defined primarily by the bindings used for each service endpoint. For example, bindings define the type of credentials expected for authentication and authorization and over what protocol those credentials should be provided. Bindings also identify advanced requirements for negotiating service credentials, secure sessions, and signing and encryption algorithms—things I’ll be discussing later. Behaviors describe authentication and authorization policies that are followed when processing client credentials.
As you might suspect, not all ...
Get Learning WCF now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
