Transfer Security
Both authentication and authorization deal with two local aspects of security—if (and to what extent) to grant access to the caller once the service has received the message. In this respect, WCF services are not much different from traditional client/server classes. However, both authentication and authorization are predicated on secure delivery of the message itself. The transfer of the message from the client to the service has to be secure, or both authentication and authorization are moot. There are three essential aspects to transfer security, and all three aspects must be enforced to provide for secure services. Message integrity deals with how to ensure that the message itself is not tampered with en route from the client to the service. A malicious party or intermediary could, in practice, intercept the message and modify its content; for example, altering the account numbers in the case of a transfer operation in a banking service. Message privacy deals with ensuring the confidentiality of the message, so that no third party can even read the contents of the message. Privacy complements integrity. Without it, even if the malicious party does not tamper with the message, that party can still cause harm by gleaning sensitive information (again, such as account numbers) from the message content. Finally, transfer security must provide for mutual authentication, which deals with assuring the client that only the proper service is able to read the content ...
Get Programming WCF Services, 3rd Edition now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.