When used wcf,you often need to configute the security.the follwing is the explain about how to configute it.
Wcf has the following features to configute security:
.Transfer security:responsible for providing message confiditiality,data integrity,and authentication of communicating parties.
.Authorization:responsible for providing a framework for making authorization decisions,weather you can visit some parts or not.
.Auditing:responsible for logging security-related events to the auditing log.
Wcf provides access to these features through bindings and behavior configuration.
Bindings:bindings control the security mode,client credential type,and other security settings.
Behaviors:serivce behaviors control impersonation levels,how client credentials are authenticated and authorized,adn service credentials.
The following able summarizes the most commonly used bindings in wcf
binding common scenarios default security settings
basicHttpBinding legacy web service protocols no security
netTcpBinding binary tcp communication between transport security with
machines windows authentication
wsHttpBinding leveraging security standards message security with
windows authentication
By default ,every wcf binding will provide transfer security and user authentication except for basicHttpBinding.If necessary,you can chaned the security settings to suit your scenario requirements.
netTcpBinding advantage.
Useing transport security has the following meaning that communicating parties do not need to understand the WS-Security specification.
It may result in better performance.
Hardware accelerators can be used to further improve performance.
netTcpBinding disadvantage.
Because security is applied on a point-to-point basis,there is no provision for multiple hops or routing through intermediate application nodes.
It supports a limited set of credential and claims compared to message security.
It is transport-dependent upon the underlying platform,transport mechanism,and security service provides such as ntlm or kerberos(i don't know these).
Use message security for the following scenarios:
.You are sending a message to a wcf service,and the message is likely to be forwarded to other wcf services or may be routed through intermediate systems.
Your WCF clients are accessing the WCF service over the Internet, it’s possible that other
intermediate systems may be used in between, and security is your top consideration.
Using message security has following advantages:
.It provides end-to-end security. Because message security directly encrypts and signs the
message, having intermediaries does not break the security.
.It allows partial or selective message encryption and signing, thus improving overall
application performance.
.Message security is transport-independent and can be used with any transport protocol.
.It supports a wide set of credentials and claims, including issue token, which enables
federated security.
Using message security has following disadvantages:
.This option may reduce performance compared to transport security because each
individual message is encrypted and signed.
.It does not support interoperability with older ASP.NET Web Services (ASMX) clients
because it requires both the client and service to support WS-Security specifications.
intermediate systems may be used in between, and security is your top consideration.
Using message security has following advantages:
.It provides end-to-end security. Because message security directly encrypts and signs the
message, having intermediaries does not break the security.
.It allows partial or selective message encryption and signing, thus improving overall
application performance.
.Message security is transport-independent and can be used with any transport protocol.
.It supports a wide set of credentials and claims, including issue token, which enables
federated security.
Using message security has following disadvantages:
.This option may reduce performance compared to transport security because each
individual message is encrypted and signed.
.It does not support interoperability with older ASP.NET Web Services (ASMX) clients
because it requires both the client and service to support WS-Security specifications.
-----authenrization some role weather it can do somthing or not
Declarative Authorization
Declarative authorization can be added to application code at design time by specifying
required access for a particular method or class declared as an attribute on the operation.
Declarative role-based authorization is best for authorizing access to WCF at the operation
level. Because attribute metadata is discoverable using reflection, it is easier to track the
security principals that are allowed to access each method. Declarative authorization checks
will work if you are using the ASP.NET role provider or Windows groups.
PrincipalPermission Example
The following code example shows how to use the PrinciplePermission attribute to perform
declarative authorization:
[PrincipalPermission(SecurityAction.Demand, Role = "accounting")]
public double Add(double a, double b)
{
return a + b;
}
Declarative authorization can be added to application code at design time by specifying
required access for a particular method or class declared as an attribute on the operation.
Declarative role-based authorization is best for authorizing access to WCF at the operation
level. Because attribute metadata is discoverable using reflection, it is easier to track the
security principals that are allowed to access each method. Declarative authorization checks
will work if you are using the ASP.NET role provider or Windows groups.
PrincipalPermission Example
The following code example shows how to use the PrinciplePermission attribute to perform
declarative authorization:
[PrincipalPermission(SecurityAction.Demand, Role = "accounting")]
public double Add(double a, double b)
{
return a + b;
}