Get Help:Ask a Question in our Forums|Report a Bug|More Help Resources
Last post Mar 05, 2013 07:16 AM by Haixia Xie - MSFT
Feb 26, 2013 02:51 PM|LINK
I have read several - too many probably - articles on ways to secure WCF services, from custom token creation, x509 certificates, using guids as tokens, WCF extensions, etc. And to be honest, I am a bit lost - seems there are just SO many different ways
to do it. Here is what my manager is asking : we have library of WCF services that will be accessed from both users with domain (Windows AD) accounts, as well as users from coming from the internet. They want me to implement some kind of security mechanism
that will ensure that only those users/machines/applications that we want to access the services can access them. Simple enough.
My boss has asked me to accomplish this using WCF extensions, presumably as in this example :
HIS boss mentioned something about just using GUIDs for tokens instead of x509 certs. So now I am wondering - if we want message level security, won't we need to use either x509 certs, or do some kind of encryption to keep whatever info is being used for
authentication (username, password) from being sent in clear text?
Sorry if this is all confusing, but if it is, then it clearly captures my thoughts at this time.
Mar 05, 2013 07:16 AM|LINK
So now I am wondering - if we want message level security, won't we need to use either x509 certs, or do some kind of encryption to keep whatever info is being used for authentication (username, password) from being sent in clear text?
If you use message level security for your service, there are various ways you can used to authenticate your clients( you can set it with clientCredentialType), it can be an anonymous client, a certificate client or a Windows client, etc. Somthing like:
<message clientCredentialType="Windows" />
You can check some common security scenarios.