Chapter 8. WCF Security in Action
WHAT'S IN THIS CHAPTER?
Understanding authentication in WCF
Getting started with claim-based security
Authorizing service consumers in WCF
In the previous chapter we discussed fundamental aspects needed to choose the right security schema for your WCF services.
In this chapter, the focus is on applying those concepts in real scenarios, using examples that will guide you step by step. We also discuss alternatives that WCF provides for authenticating and authorizing clients when the client credentials reach the service, giving emphasis to the claims-based security model.
FIRST STEPS IN AUTHENTICATION
The right choice for your services authentication schema is typically based on several factors, such as the location of clients on the intranet or Internet, facility to deploy credentials in the clients, or the number of potential clients that will consume the services.
As previously discussed, authentication in the context of WCF typically refers to mutual authentication.
Mutual authentication is a bidirectional process where the clients and services authenticate each other. This kind of authentication is extremely important for services exposed on the Internet. An attacker might be able to spoof one of the services and intercept the client calls to get access to sensitive data.
The service credentials depend on the client authentication schema and the security mode you choose. Usually, if you use client authentication schemas such as username or certificate authentication ...