tags:

views:

809

answers:

1
Q: 

What are the impacts of setting establishSecurityContext="False" if i use https?

My WFC service uses wsHttpBinding configured with:

<security mode="TransportWithMessageCredential">
    <message establishSecurityContext="True" clientCredentialType="UserName"/>
    <transport clientCredentialType="None" proxyCredentialType="None"/>
</security>

One of our partner is trying to invoke our services using the java the Metro library. They have this problem. I have to set establishSecurityContext="False" for this to work. We did a quick test and it works indeed when I set it to false.

What would be the impacts of not using secure sessions (by setting establishSecurityContext="False"). I'm already running on https. So will I be OK in terms of security? And are there other impacts to consider (performance maybe)?

Thanks

+1  A: 

The difference is that the on an non-SCT (security context token) enabled endpoint, key exchange and validation must be done per call as opposed to being done once and cached for the session and only a SCT passed around in the messages instead. SCTs are based on a symmetric key which makes them much more efficient for signing/encrypting the message. The use of an SCTs is very good when the client is expected to make many calls in succession because it alleviates the need to do the exchange and validation of a one off key every time.

What I would recommend is that you just expose another endpoint for clients that don't support SCTs and tell them to use that. Clients that can use SCTs you keep pointed at the default enpoint and keep all the benefits that come with it.

For more on the subject, check out section three of the WS-SecureConversation documentation.

Drew Marsh  2009-11-06 02:12:34
excellent recommendation on using a separate endpoint - allows each client type to use the "best" endpoint for them!
marc_s  2009-11-06 06:48:46
Hi Drew, thank you for your answer.
Sly  2009-11-09 13:37:51
Drew, my clients open and close their channel on each service call. Even if I have secure sessions enabled; they don't get the benefits of that. Is that correct?
Sly  2009-11-09 13:43:32
That's right. If you close, you terminate the session and would lose any benefit. Like I said, it's best if you're pooling the clients yourself or are making multiple calls in succession. Also, I didn't point it out, but keep in mind that using SCTs means that you are using sessions on the server side so keep that in mind. For example, the default value for maxConcurrentSessions is 10.
Drew Marsh  2009-11-09 16:40:22

related questions

Encryption in C# Web-Services
How Do You Secure database.yml?
ASP.NET LocationProvider
What do you (or your company) use for wiping a machine?
Can a proxy server cache SSL GETs? If not, would response body encryption suffice?
Java: What is the best way to SFTP a file from a server
How do I call a Flex SWF from a remote domain using Flash (AS3) ?
Best way to store a database password in a startup script / config file?
Using VM to get around VPN restrictions
Best references for secure coding practices in ASP.NET and classic ASP.
Secure Memory Allocator in C++
Resolving Session Fixation in JBoss
Best Practices for securing a REST API / web service
Defensive programming
Personal Linux web server
Block user access to internals of a site using HTTP_REFERER
Is there an Unobtrusive Captcha for web forms?
My website got hacked... What should I do?
What all do I need to escape when sending a (My)SQL query?
How do you disable browser Autocomplete on web form field / input tag?
Best .NET obfuscation tools/strategy
Are there best practices for testing security in an Agile development shop?
What is the best way to avoid SQL injection attacks?
Found a critical bug, but the company doesn't care
PHP Session Security