WCF Security - A list of what I dont understand

Question

Hi Guys,

I'm going around in circles with regards to WCF and security so i'm just going to shove a load of questions here and hope someone can help me gain a clear picture.

1. Can someone please give me a plain English explanation of Transport vs Message level security.

2. I think I have a service running under SSL that will authenticate the user based upon their windows credentials. I also think I understand how to limit access to a service method via the PrincipalPermission. But how do I actually retrieve the current IPrinciple, so I can return different results dependent upon who's calling the service?

3. I have figured out how to turn tracing on and I can see my trace logs using "Microsoft Service Trace Log Viewer" but ill be damned if I can figure out what Im being displayed. Is there a decent resource explaining how to use this thing?

4. When using the "Certificate" clientCredentialType, is this somehting different to SSL?

5. When using the "Windows" clientCredentialType how can I see what windows user is being passed through?

6. My requirements mean I have to use basicHttpBindings - Am I correct in assuming:

   • I only have Transport level security available to me?
   • I can not implement custom username/password for this binding?

I know these questions may seem stupid, but any help with clarification would really help.

Thanks Chris.

EDIT:

1. How can I add custom SOAP headers to my service in a similar manor to .asmx services? Is this a valid approach?

EDIT:

Further to the above questions I would like to know if it is possible to authenticate a windows mobile device based upon its windows user by checking against Active Directory. For all that I have found so far it seems unlikely.

N.B. For those who do not know whats available for windows CE's version of WCF its: Transport level security only, and either none/certificate for the Client Credential Type. So it seems that CE's WCF wont allow this by default but could I securely send this information in the message (via the method signature) and would this be an acceptable way of sending this kind of information?

Answer 1

I don't know all answers but here are the ones I do know

1. transport security means the communication is encrypted while the message is transported so it can't be read and or tampered with. Message security means the contents of the message itself is encrypted the transport however isn't necessarily. Message security can for instance be used with HTTP while transport security would require the use of HTTPS (or other bindings).
2. IPrincipal principal = Thread.CurrentPrincipal;
3. no answer
4. Yes, although SSL itself uses certificates it's not the same. You can have the client send a certificate which is known to the service or which is signed by a trusted authority to that the service knows who the client is and whether to allow them to make the call or not. Using SSL will only ensure that third parties can't read the communication between the client and the services by intercepting the network packages.
5. IPrincipal principal = Thread.CurrentPrincipal; principal.Identity.Name;
6. No.
   • You have None, Transport, Message and Mixed security as your options however Transport security will require calling the endpoint using HTTPS since thats the secured version of the protocol
   • EDIT: Check out the discussion at this forum.

And the questions certainly aren't stupid.

P.S. I can recommend the book programming WCF services by Juval Lowy it's really in depth and comes with a really useful framework extending WCF/Simplifying certain things.

Answer 2

Check out WCF Security Guidance. If you need more information, you should be able to find it all there, its quite complete. Though it looks like @olle gave a pretty complete answer....