Transfer Security

Both authentication and authorization deal with two local aspects of security—how (and to what extent) to grant access to the caller once the message was received by the service. In this respect WCF services are not much different from traditional client-server classes. But both authentication and authorization are predicated on secure delivery of the message itself. The transfer of the message from the client to the service has to be secure, and without it, both authentication and authorization are moot. Transfer security has three essential aspects to it, and all three aspects must be enforced to provide for secure services. Message integrity deals with how to ensure the message itself was not tampered with en route from the client to the service. A malicious party or intermediary could in practice intercept the message and modify its content; for example, providing wrong account numbers in case of a transfer operation in a banking service. Message privacy deals with ensuring the confidentiality of message, so that no third party can even read the content of the message. Privacy complements integrity. Without it, even if the malicious party does not tamper with the message, it can still cause harm by gleaning sensitive information such as account numbers from the message. Finally, transfer security must provide for mutual authentication; that is, ensuring the client that only the proper service is able to read the context of the message—in other words, ...

Get Programming WCF Services now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.