Chapter 8. WCF Security in Action


  • Understanding authentication in WCF

  • Getting started with claim-based security

  • Authorizing service consumers in WCF

In the previous chapter we discussed fundamental aspects needed to choose the right security schema for your WCF services.

In this chapter, the focus is on applying those concepts in real scenarios, using examples that will guide you step by step. We also discuss alternatives that WCF provides for authenticating and authorizing clients when the client credentials reach the service, giving emphasis to the claims-based security model.


The right choice for your services authentication schema is typically based on several factors, such as the location of clients on the intranet or Internet, facility to deploy credentials in the clients, or the number of potential clients that will consume the services.

As previously discussed, authentication in the context of WCF typically refers to mutual authentication.

Mutual authentication is a bidirectional process where the clients and services authenticate each other. This kind of authentication is extremely important for services exposed on the Internet. An attacker might be able to spoof one of the services and intercept the client calls to get access to sensitive data.

The service credentials depend on the client authentication schema and the security mode you choose. Usually, if you use client authentication schemas such as username or certificate authentication ...

Get Professional WCF 4: Windows Communication Foundation with .NET 4 now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.