Chapter 10. Security
There are several aspects pertaining to secure interaction between a client and a service. As in traditional client/server and component-oriented applications, the service needs to authenticate its callers and often also authorize the callers before executing sensitive operations. In addition, regardless of the technology, when securing a service (and its clients) as in any distributed system, you need to secure the messages while they are en route from the client to the service. Once the messages arrive securely and are authenticated and authorized, the service has a number of options regarding the identity it uses to execute the operation. This chapter will explore these classic security aspects—authentication, authorization, transfer security, and identity management—as well as something more abstract, which I call overall security policy: that is, your own personal and your company’s (or customer’s) approach to and mindset regarding security. This chapter starts by defining the various aspects of security in the context of WCF and the options available to developers when it comes to utilizing WCF and .NET security. Then, it explains how to secure the canonical and prevailing types of applications. Finally, I will present my declarative security framework, which vastly reduces the complexity of the WCF security programming model by eliminating the need to understand and tweak the many details of WCF security.