Part 47 WCF security

Link for all dot net and sql server video tutorial playlists http://www.youtube.com/user/kudvenkat/playlists Link for code samples used in the demo http://csharp-video-tutorials.blogspot.com/2014/04/part-47-wcf-security.html Healthy diet is very important both for the body and mind. If you like Aarvi Kitchen recipes, please support by sharing, subscribing and liking our YouTube channel. Hope you can help. https://www.youtube.com/channel/UC7sEwIXM_YfAMyonQCrGfWA/?sub_confirmation=1 In this video we will discuss the basics of WCF security First let's understand some of the fundamental security terms Authentication - The process of identifying the sender and recipient of the message. Authorization - The process of determining what rights the authenticated user has. Confidentiality - The process of ensuring that only the intended recipient of the message can view the message as it is being transmitted from the sender to the receiver. We achieve confidentiality by encrypting the message. Integrity - The process of ensuring that the message is not tampered with by a malicious user as it is being transmitted from the sender to the receiver. We achieve Integrity by signing the messages. Bindings in WCF determine the security scheme. The following MSDN link contains all the system provided bindings and their respective security defaults. http://msdn.microsoft.com/en-us/library/ms731092(v=vs.110).aspx Notice that the default security scheme for NetTcpBinding is Transport and for WSHttpBinding it is Message. First let's understand the difference between Message security and Transport security. From a security perspective, when sending a message between a client and a WCF service, there are 2 things to consider 1. The WCF Message itself 2. The medium or protocol (HTTP, TCP, MSMQ) over which the message is sent Securing the transport channel is called transport security. Each of the protocols (HTTP, TCP, MSMQ etc) have their own way of providing transport security. For example, TCP provides transport security, by implementing Transport Layer Security (TLS). The TLS implementation is provided by the operating system. HTTP provides transport security by using Secure Sockets Layer (SSL) over HTTP. Transport security provides only point-to-point channel security. It means if there is an intermediary (Load balancer, proxy etc) between, then that intermediary has direct access to content of the message. Securing the message itself by encapsulating the security credentials with every SOAP message is called message security. As the message itself is protected, it provides end to end security. The following MSDN article explains all the differences between message and transport security and when to use one over the other. http://msdn.microsoft.com/en-us/library/ms733137.aspx By default for secure bindings WCF messages are signed and encrypted. Let's understand this with an example.