Last post Sep 03, 2014 10:40 PM by Fuxiang Zhang - MSFT
Aug 25, 2014 09:48 PM|akhilrajau|LINK
I am reading security concepts of WCF in 'Programming WCF Services' book. In that i got points like generally transport security is good for intranet scenarios because of point-point etc.
For internet scenarios, we can use message security as the better choice. I already worked at basic level in REST based wcf. So i use webHttpBinding. As i knew that the Message security is based on WS standards and the webHttpBinding is rest based it is not
possible to apply Message security in the webHttpBinding.
But if take a scenario like i am creating a public API (for internet) in REST wcf as the methods are used in handheld devices also. Here how transport security is better than message security. Is my understanding right or in the REST transport security is different
Aug 28, 2014 06:37 AM|Fuxiang Zhang - MSFT|LINK
Thank you post the issue to asp.net forum.
WCf wsHttpBinding provided soap based message exchange, and it supports the security message mode.
As you said, message security is used to configure SOAP message security headers, so it not valid in the webHttpBinding
which not based soap message. The appropriate security for REST services is most likely transport level - that is HTTPS.
You can take a look at below article which introduce the WebHttpBinding
Sep 01, 2014 12:25 AM|akhilrajau|LINK
Thanks Fuxiang. But my confusion is that Message SEcurity is better with internet scenarios because the message is encrypted. In the trasport security only the transport is secured and is better when point to point is used. So how is it secured in internet
scenarios? So for internet applications webHttp is not good choice?
Sep 03, 2014 10:40 PM|Fuxiang Zhang - MSFT|LINK
You are correct, Message Security is implemented via the WS-Security specification. And the WebHttpBinding enables REST-style APIs.
REST delegates all security concerns to the Transport layer, typically via SSL, so Message Security does not apply.
If you prefer to use the Message Security, you can choose the WsHttpBinding or basichttpbinding.