WCF security at transport level or message level RRS feed

  • Question

  • User88744855 posted

    i am new in wcf. i read msdn link for wcf securty for message level or transport level but unfortunately there was very small info regarding those security.

    basically i am not being able to visualize how service will be secured when anyone select transport level security or message level security. i want to visualize how security works for the both.

    so please discuss in detail what happen when user select transport level security and as well as message level security?

    i got a small snippet for how to setup message level security as follows

        <binding name="ServicesBindings" receiveTimeout="00:00:30">
          <security mode="Message">
            <message clientCredentialType="Certificate"/>
          <reliableSession enabled="true"/>
    1) how many type of mode is possible want to know ?
    2) how many option is available for clientCredentialType ?

    looking for guidance. thanks

    Monday, May 12, 2014 1:30 PM


  • User-417640953 posted

    Hi mou_inn,

    Thanks for the post.

    As known that, transfer level is based on potocol and message level is based on data message. like below statement.

    Transport level security happens at the channel level. Transport level security is the easiest to implement as it happens at the communication level.

    WCF uses transport protocols like TCP, HTTP, MSMQ etc and every of these protocols have their own security mechanisms.
    Message level security is implemented with message data itself. Due to this it is independent of the protocol. Some of the common ways of implementing

    message level security is by encrypting data using some standard encryption algorithm.

    As for the wsHttpBinding you mentioned above, it supports "None", "Transport", "Message", "Mixed" and not supports "Both", "TransportCredential".

    wsHttpBinding with Transport model supports client validate "None", "Basic", "Digest", "Windows", "Ntlm", "Certificate".

    wsHttpBinding with Message model supports client validate "None", "User Name", "Issue-Token", "Windows", "Certificate".

    Hope that helps, thanks.


    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Wednesday, May 14, 2014 6:55 AM