WCF Message-Level Security

WCF actually provides three modes for security. They are Transport, Message, and Transport- WithMessageCredential. The third mode is actually a combination of the first two.

The main difference between transport and message security is that message security includes any necessary credentials and claims along with the message. Contrast this with transport security, which uses handshaking or external resources (such as AD DS) to verify the credentials associated with a message.

A number of benefits are associated with using message security. The biggest is that the message is self-contained because it allows a number of scenarios that are not possible using transport security. For example, transport security secures messages from endpoint to endpoint only. After the message has been received, it is unencrypted. Message security provides end-to-end encryption. Even after a message has been received, it is still encrypted.

A second reason for considering message security over transport security is the ability to provide multiple levels of security; different parts of the message can be secured by using different encryption mechanisms. You can even apply different sets of credentials to encrypt different parts of the message. This enables a single message to have different audiences based on the credentials, or, for example, you can send unencrypted the information used by a router to deliver a message to the correct destination without compromising the security of other parts of the body.

The underlying protocol that message security uses in WCF is WS-Security. This means that all the protocols WCF uses support message security out of the box and, unlike transport security, there is no dependence on any of the protocols for providing message security. Every WCF message is secured regardless of the protocol.

 

Notas tomadas del libro: MCTS Self-Paced Training KIT (Exam 70-503)