Implementing WCF Message Level Security over HTTP
Implementing WCF Message Level Security over HTTP
By : Kasim Wirama, MCDBA, MVP SQL Server
You can secure your message confidentiality by encryption either in transport level security or message level security. For transport level security, you can set up SSL over Http. And for message level security, you have more options to implement encryption algorithm through any protocols available such as http or tcp.
This article I would like share my exploration configure message level security over HTTP. You can set up new HTTP protocol binding configuration with Service Configuration Editor program, you try create 2 protocol binding configuration ws2007HttpBinding and basicHttpBinding. Notice MessageClientCredentialType property as Security tab. On basicHttpBinding, there are only 2 options available, i.e UserName and Certificate. Certificate in this case will be used to prove client identity to WCF service, so WCF service could make sure that the real client gets connected to. In windows domain environment, windows security implementation using basicHttpBinding is not possible. If you want to use windows integrated security, I suggest you use ws2007HttpBinding or wsHttpBinding, besides that ws2007HttpBinding and wsHttpBinding provides more options besides windows authentication, they are UserName, Certificate, and IssuedToken. As far as I know, encryption with wsHttpBinding is based on WS-Security specification where WS-Security spec is one of WS*-specification standard pillars.
So this article, I give you some basic idea how to implement message level security using ws2007HttpBinding. Similar configuration of ws2007HttpBinding will also apply to wsHttpBinding as well.
WCF service
Edit application configuration file with Service Configuration Editor, add new Endpoints at Services folder with type ws2007HttpBinding, specify the address on Address property (for example : http://localhost:8888/Service/Service.svc, this address should be applied at WCF client as well, of course you need to replace word localhost to real computer name when you deploy WCF client and WCF service on distributed environment), specify contract on Contract property.
WCF client
Similar configuration on WCF service is applied to WCF client as well, except I create new endpoint at Clients/Endpoints folder instead of Services/Endpoints folder. Give name to the endpoint, the name will be value of input parameter when calling proxy constructor.
Last steps is that you provide the ws2007HttpBinding endpoint name to input parameter of proxy when proxy is instantiated.
Run your WCF client, this time your WCF client communicates with WCF service with protocol ws2007HttpBinding that implements message level security over HTTP.