y - Net Developer

CHAPTER 7 ■ IMPLEMENTING WCF SECURITY 221ramrameshreddy.blog.comUnfortunately, the transport security also terminates at the destination SSL gateway. The messageswill be exposed to malicious intruders as soon as the messages exit the destination’s SSLgateway. This may not be the actual hosting web server. Many companies implement SSLaccelerators on proxy servers in their DMZ. This leaves the message’s subject open to possiblehijacking in the network between their accelerators and their servers. However, this is a commonand proven security feature that the industry has utilized successfully (provided thedestination organization takes steps to secure the messages as soon as the messages entertheir organization).The second option is to implement credentials at the message level, where the credentialsare embedded in the message. No credentials are transported at the transport layer. The messagewill not be exposed to malicious hackers until the receiver can decrypt the message usinga special key known to the receiver. However, this method is slower than the transport-levelcredentials because of the extra encryptions with messages. The message size will also belarger than the transport-level messages. The first message between the sender and receiverinitiates the authentication and authorization between the two entities. The subsequent messageswill have an optimized token to replace the complete credential set to counter the slowresponse times. This mechanism will attempt to reduce the size limitation and increase thespeed of the communication. The credentials of the service and client are specified in thebinding information. You can have the following options as the credential types in WCF:None: No security is provided via the transport level or messaging level. BasicHttpBindinguses this mode by default. The rest of the other bindings do not use it. (In other words,their security mode needs to be specified explicitly.)Transport: This uses transport-level security (that is, SSL).Message: This uses SOAP messages to provide authentication, authorization, integrity, andconfidentiality. These SOAP messages are WS-Security compliant.Mixed mode: This uses both transport-level and message-level security. Confidentialityand integrity are delivered by the transport layer. Authentication and authorization areprovided by the message level.Both: This is available only in the NetMsmqBinding binding. This provides authentication atboth the message level and the transport level.Binding Support for CredentialsTable 7-1 lists the most common bindings and whether they support transport, message, ormixed modes.ramrameshreddyramrameshreddyTable 7-1. Binding Support for Credential TypesBinding Transport Mode? Message Mode? Mixed Mode?BasicHttpBinding Yes Yes YesWsHttpBinding Yes Yes YesWsDualHttpBinding No Yes NoNetTcpBinding Yes Yes Yes