WCF Message Level Security by Example

This article will describe how to implement WCF message level security. It will show you the required steps to create WCF library, host it in IIS, secure with Message Level Security, client application and finally see encrypted messages using WCFTraceViewer.


WCF Security

WCF provides three modes for security. Transport, Message and TransportWithMessageCredential. Transport security can be achieved with SSL over http(https). This article elaborates Message Level security. TransportWithMessageCredential is a combination of other two.


What is WCF Message Security

Message level security encrypts request / response messages using WS-Security specifications. It encloses security credentials and claims with every message. Each message either signed or encrypted. Message Security provides end-to-end channel security and is independent of transport protocol. In short mutual authentication and message security are delivered at the message level.


Advantages of Message Level security in WCF

  • Message Security provides multiple levels of security meaning that different parts (header, body etc) of message can be secured by different encryption methods.
  • Message Security is not dependent on WCF protocols. It provides the security regardless of binding used.
  • Message Security provides end-to-end security, in Transport Security where once the message received at server it is not encrypted whereas in Message Level security it is still encrypted.
  • Message security is the only option to provide security when you have intermediate routers to route request / response.

Implementation of Message Level Security in WCF


Creation of WCF Service Library

Go through Create a WCF Service and Test using WCFTestClient. It creates basic WCF Service which has OperationContracts to return Product details from Products.xml.


Host ProductService in IIS

For this article we will use http protocols and host service in IIS. Unlike Transport Security you do not need to make any changes in IIS for Message Level Security.


Configure WCF Message Level Security

Open NorthwindServices service library which you created in first step and open its App.config file.

Here we will configure bindingConfiguration element of endpoint. Add <bindings> section under <system.serviceModel>

Set security mode as Message and clientCredentialType as Windows.

Your <system.serviceModel> configuration should look like

                
    <system.serviceModel>
    <services>       
      <service name="NorthwindServices.ProductService" 
                behaviorConfiguration="ServiceBehavior">
        <host>
          <baseAddresses>
            <add baseAddress = 
                    "http://localhost:7741/NorthwindServices
                            /ProductService/" />
          </baseAddresses>
        </host>
        <endpoint address ="" binding="wsHttpBinding" 
                contract="NorthwindServices.IProducts" 
                bindingConfiguration ="wsMessage">
          <identity>
            <dns value="localhost"/>
          </identity>
        </endpoint>
        <endpoint address="mex" binding="mexHttpBinding" 
                contract="IMetadataExchange"/>
      </service>
    </services>
    <behaviors>
      <serviceBehaviors>
        <behavior name="ServiceBehavior" >
          <serviceMetadata httpGetEnabled="true" />
        </behavior>
      </serviceBehaviors>      
    </behaviors>
    <bindings>
      <wsHttpBinding>
        <binding name ="wsMessage">
          <security mode ="Message">            
            <message clientCredentialType ="Windows"/>
          </security>
        </binding> 
      </wsHttpBinding> 
    </bindings> 
  </system.serviceModel>
                    
            

clientCredentialType

clientCredentialType can have any value from below available options for Message Level Security.

  1. None: Messages are secured with encryption however it does not perform any authentication.
  2. Windows: Messages are secured with encryption and clients are authenticated using built in Windows Authentication which can be through Active Directory or NTLM.
  3. UserName: Messages are secured and encrypted and clients are authenticated by provided UserName and Password.
  4. Certificate: Messages are encrypted and both service and clients are authenticated with certificates.
  5. IssuedToken: Messages are encrypted and authentication happens through issued tokens by authority like Cardspace.

Client Application

Create a new console application as client for this WCF service. Add service reference of ProductService to client application.


Add below client code to console application.

                
using NorthwindApp.ProductServiceRef; 

namespace NorthwindApp
{
    class Program
    {
        static void Main(string[] args)
        {
            ProductsClient client = new ProductsClient();
            string cateName = client.GetCategoryName(1);
            Console.WriteLine(cateName);
            Console.Read();
        }
    }
}
            

Enable WCF Tracing and Message Logging for client application to see how communication has encrypted. Execute application and open SvcTraceViewer. SvcTraceViewer is located at C:\Program Files (x86)\Microsoft SDKs\Windows\v7.0A\Bin. If you do not have SvcTraceViewer installed click here to download.

Trace and Messages must have generated after execution of client application. Open it and notice how messages are encrypted.

Northwind Trace for WCF Message Level Security

Download source code.

Speak your mind :
Leave a comment for this article on dotnetbloogers.com
User profile picture on dotnetmentors.com

by satya at 10/25/2013 1:00:00 PM
very good article that enlightening wcf message security
post comment on dotnetmentors.com
User profile picture on dotnetmentors.com

by raja at 4/8/2015 1:59:00 AM
working on it.
post comment on dotnetmentors.com
User profile picture on dotnetmentors.com

by sachin darakhe at 5/17/2016 2:59:00 AM
The message could not be processed. This is most likely because the action 'http://tempuri.org/ICloudMitoService/GetCarrierList' is incorrect or because the message contains an invalid or expired security context token or because there is a mismatch between bindings. The security context token would be invalid if the service aborted the channel due to inactivity. To prevent the service from aborting idle sessions prematurely increase the Receive timeout on the service endpoint's binding.
post comment on dotnetmentors.com
User profile picture on dotnetmentors.com

by Laxmikant at 5/18/2016 9:18:00 AM
@sachin, increase readerquota values for binding <basicHttpBinding> <binding name="LargeBuffer" ... <readerQuotas maxDepth="2147483647" maxStringContentLength="2147483647" maxArrayLength="2147483647" maxBytesPerRead="2147483647" maxNameTableCharCount="2147483647" /> .... </binding>
post comment on dotnetmentors.com
User profile picture on dotnetmentors.com

by sachin darakhe at 5/18/2016 9:14:00 PM
i am calling Restful services from iOS device . i want to implement secure communication over network between server(services hosted) and device. i want to prevent from unauthorized(via proxy server/burp's/ privileged escalation) interfere into request or response data. i tried with wsHttpBinding it is not encrypting data while calling from iOS device.
post comment on dotnetmentors.com