none
WCF Transport & Message level Security RRS feed

  • Question

  • i am new in wcf and looking for basic help. i heard that security can be give in wcf at two level. that is transport & message level.

    i like to know what does it means that transport level security & message level security. what is the difference between transport level security & message level security and when which one is preferred.

    how do i understand that security given at which level?

    i got two config entry

    <bindings>
        <wsHttpBinding>
            <binding name="TransportSecurity">
                <security mode="Transport">
                    <transport clientCredentialType="None"/>
                </security>
            </binding>
        </wsHttpBinding>
    </bindings>
    
    <bindings>
    <wsHttpBinding>
    <binding name="wsHttpEndpointBinding">
    <security>
    <message clientCredentialType="Certificate" />
    </security>
    </binding>
    </wsHttpBinding>
    </bindings>

    just see the above two config xml and tell me why there is no word used like message but there is word use called transport ?

    sometime mode is used for security tag and some time nothing has been used for security tag. mode can be message instead of transport?

    i just do not understand the above two config xml like what they are trying to do and which one is transport security and which one is message ?

    please help with discussion. thanks


    • Edited by Mou_kolkata Wednesday, April 9, 2014 2:14 PM
    Wednesday, April 9, 2014 2:03 PM

Answers

  • Hi,

    >>i like to know what does it means that transport level security & message level security. what is the difference between transport level security & message level security and when which one is preferred.

    For this please try to check my reply in your previous thread with the following:

    Transport Security

    When using transport security, the user credentials and claims are passed by using the transport layer. And each transport protocol (TCP, IPC, MSMQ, or HTTP) has its own mechanism for passing credentials and handling message protection.

    Ff648863.CH07-Fig1(en-us,PandP.10).png

    Message Security

    When using message security, the user credentials and claims are encapsulated in every message using the WS-Security specification to secure messages.

    Ff648863.CH07-Fig2(en-us,PandP.10).png

    When I first learn the transport and message security, my friend tell me such an easy example to help me to remember:
    Just suppose that you wan to send a secret paper from one place to another place, then you can have two choices.
    One is that just choose a secret highway and a secret car to send the paper. Then it looks like the transport security.
    The other way is that you can choose to encrypt the message on the paper which can not be known by others. Then it is the message security.

    For information, please try to refer to:
    #Message and Transport Security:
    http://msdn.microsoft.com/en-us/library/ff648863.aspx .

    #Difference Between Transport and Message Level Security:
    http://www.c-sharpcorner.com/Blogs/13464/difference-between-transport-and-message-level-security.aspx .

    >>i just do not understand the above two config xml like what they are trying to do and which one is transport security and which one is message ?

    In the first xml, you can see the following:

    <wsHttpBinding>
            <binding name="TransportSecurity">
                <security mode="Transport">
                    <transport clientCredentialType="None"/>
                </security>
            </binding>
    </wsHttpBinding>
    

    So it will use the Transport security. But the clientCredentialType="None", so it do not need to provide the credential when calling this endpoint address. And this binding can apply to endpoint as following:

     <endpoint address="" binding="wsHttpBinding" contract="WcfService.IService1" 
    bindingConfiguration="TransportSecurity"></endpoint>

    Then in the second xml:

    <wsHttpBinding>
    <binding name="wsHttpEndpointBinding">
    <security>
    <message clientCredentialType="Certificate" />
    </security>
    

    Although it do not write the security mode, but by default the wsHttpBinding will use the message security mode. And by default the netTcpBinding will use the transport security mode. So the above will use the message security mode. And the clientCredentialType="Certificate", so the service will use the certificate authentication.

    Then this binding can apply to endpoint as following:

    <endpoint address="" binding="wsHttpBinding" contract="WcfService.IService1" 
               bindingConfiguration="wsHttpEndpointBinding"></endpoint>

    Best Regards,
    Amy Peng


    We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
    Click HERE to participate the survey.

    • Marked as answer by Mou_kolkata Thursday, April 10, 2014 7:37 AM
    Thursday, April 10, 2014 3:12 AM
    Moderator
  • Hi,

    >>when we give security at message level then can we specify certificate ?

    Yes, we can use the certificate at the message level.

    In the message level, the clientCredentialType can be the following:

    None, Windows, Username, Certificate, Issued Token.

    >>when we give security at transport level then can we specify certificate ?

    Yes, we can use the certificate at the transport level.

    In the transport level, the clientCredentialType can be the following:

    None, Basic, Digest, Ntlm, Windows, Certificate, Password.

    For more information, please try to refer to:
    #Selecting a Credential Type:
    http://msdn.microsoft.com/en-us/library/ms733836(v=vs.110).aspx .

    >>if possible guide me what kind of security wcf can provide for every binding. say for example what kind of security we can provide for basichttp binding and wshttpbinding ?

    By default the security mode for the basicHttpBinding mode is none. And by default the wsHttpBinding will use the message security mode. And by default the netTcpBinding will use the transport security mode. Those bindings can all use both of the message and transport mode if you want.

    Best Regards,
    Amy Peng



    We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
    Click HERE to participate the survey.

    • Marked as answer by Mou_kolkata Thursday, April 17, 2014 8:42 AM
    Thursday, April 10, 2014 8:35 AM
    Moderator

All replies

  • when we give security at message level then we can specify certificate ?

    and when we give security at transport level then we can specify certificate ?

    <bindings>
    <wsHttpBinding>
    <binding name="wsHttpEndpointBinding">
    <security>
    <message clientCredentialType="Certificate" />
    </security>
    </binding>
    </wsHttpBinding>
    </bindings>

    when we specify credential type is certificate then do we need to change the endpoint address from http to https ?

    https is mandatory when credential type is certificate ? if not then when endpoint address will use https?

    please guide. thanks

    Wednesday, April 9, 2014 2:42 PM
  • Hi,

    >>i like to know what does it means that transport level security & message level security. what is the difference between transport level security & message level security and when which one is preferred.

    For this please try to check my reply in your previous thread with the following:

    Transport Security

    When using transport security, the user credentials and claims are passed by using the transport layer. And each transport protocol (TCP, IPC, MSMQ, or HTTP) has its own mechanism for passing credentials and handling message protection.

    Ff648863.CH07-Fig1(en-us,PandP.10).png

    Message Security

    When using message security, the user credentials and claims are encapsulated in every message using the WS-Security specification to secure messages.

    Ff648863.CH07-Fig2(en-us,PandP.10).png

    When I first learn the transport and message security, my friend tell me such an easy example to help me to remember:
    Just suppose that you wan to send a secret paper from one place to another place, then you can have two choices.
    One is that just choose a secret highway and a secret car to send the paper. Then it looks like the transport security.
    The other way is that you can choose to encrypt the message on the paper which can not be known by others. Then it is the message security.

    For information, please try to refer to:
    #Message and Transport Security:
    http://msdn.microsoft.com/en-us/library/ff648863.aspx .

    #Difference Between Transport and Message Level Security:
    http://www.c-sharpcorner.com/Blogs/13464/difference-between-transport-and-message-level-security.aspx .

    >>i just do not understand the above two config xml like what they are trying to do and which one is transport security and which one is message ?

    In the first xml, you can see the following:

    <wsHttpBinding>
            <binding name="TransportSecurity">
                <security mode="Transport">
                    <transport clientCredentialType="None"/>
                </security>
            </binding>
    </wsHttpBinding>
    

    So it will use the Transport security. But the clientCredentialType="None", so it do not need to provide the credential when calling this endpoint address. And this binding can apply to endpoint as following:

     <endpoint address="" binding="wsHttpBinding" contract="WcfService.IService1" 
    bindingConfiguration="TransportSecurity"></endpoint>

    Then in the second xml:

    <wsHttpBinding>
    <binding name="wsHttpEndpointBinding">
    <security>
    <message clientCredentialType="Certificate" />
    </security>
    

    Although it do not write the security mode, but by default the wsHttpBinding will use the message security mode. And by default the netTcpBinding will use the transport security mode. So the above will use the message security mode. And the clientCredentialType="Certificate", so the service will use the certificate authentication.

    Then this binding can apply to endpoint as following:

    <endpoint address="" binding="wsHttpBinding" contract="WcfService.IService1" 
               bindingConfiguration="wsHttpEndpointBinding"></endpoint>

    Best Regards,
    Amy Peng


    We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
    Click HERE to participate the survey.

    • Marked as answer by Mou_kolkata Thursday, April 10, 2014 7:37 AM
    Thursday, April 10, 2014 3:12 AM
    Moderator
  • you missed two points and those are

    when we give security at message level then can we specify certificate ?

    and when we give security at transport level then can we specify certificate ?

    if possible guide me what kind of security wcf can provide for every binding. say for example what kind of security we can provide for basichttp binding and wshttpbinding ?

    Thursday, April 10, 2014 7:40 AM
  • Hi,

    >>when we give security at message level then can we specify certificate ?

    Yes, we can use the certificate at the message level.

    In the message level, the clientCredentialType can be the following:

    None, Windows, Username, Certificate, Issued Token.

    >>when we give security at transport level then can we specify certificate ?

    Yes, we can use the certificate at the transport level.

    In the transport level, the clientCredentialType can be the following:

    None, Basic, Digest, Ntlm, Windows, Certificate, Password.

    For more information, please try to refer to:
    #Selecting a Credential Type:
    http://msdn.microsoft.com/en-us/library/ms733836(v=vs.110).aspx .

    >>if possible guide me what kind of security wcf can provide for every binding. say for example what kind of security we can provide for basichttp binding and wshttpbinding ?

    By default the security mode for the basicHttpBinding mode is none. And by default the wsHttpBinding will use the message security mode. And by default the netTcpBinding will use the transport security mode. Those bindings can all use both of the message and transport mode if you want.

    Best Regards,
    Amy Peng



    We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
    Click HERE to participate the survey.

    • Marked as answer by Mou_kolkata Thursday, April 17, 2014 8:42 AM
    Thursday, April 10, 2014 8:35 AM
    Moderator