During extending of WCF (Windows Communication Foundation) one of confusing tasks was often to choose the appropriate configuration settings related to required security mechanism. If you take a look on a huge number of configuration settings, you may get a feeling that WCF offers almost every possible security combination (transport, message, certificate, username, basic, ntlm etc. etc).
Because no every combination is possible and also not reasonable, I decided to take a deeper look inside of the service model. Pictures in this post show the way how WCF internally build the transport channel and security mechanism for BasicHttpBinding.
During initialization of the service the service model invokes the method CreateBindingElements, which is most important method of any binding (in this case BasicHttpBinding).
BasicHttpBinding constructs logically three binding elements: SecurityBindingElement, MessageEncodingBindingElement and TranpostBindingElement.
The next picture shows the sequence of creating of all three elements.
MessageEncodingBindingElement can be of type TextMessageEncodingBindingElement or MtomMessageEncodingBindingElement and it is out of scope of this post.
The SecurityBindingElement is created only if the security mode is either set on Message or MessageWithTransportCredentials. If none of these modes is set, the SecurityBindingElement will not be created at all. This is shown at the next picture
Message Security Mode
If the Message security mechanism is used over none-secured transport, WCF Service Model requires using of the clientCertificateCredential. If the client’s certificate is not specified the WCF throws an InvalidOperationException. This means that WCF does not allow messaging over unsecured transport.
However, if the client provides the certificate the message can be encrypted and no secured transport is required. In this case either AsymetricSecurityBindingElement (for WSSecurity 1.0) or SymmetricSecurityBindingElement (for WSSecurity 1.1) will be created with following call:
Message Over Transport Security Mode
In this scenario WCF knows that message interchange will be done by using of the secured channel. In this scenario WCF expects that client credential type is set either on UserName or Certiicate. Otherwise an exception will be thrown.
If the clientCredentialType is set on UserName WCF use following call to create the security binding element:
This method creates the instance of the TransportSecurityBindingElement, which is configured for signing and encrypting of the message.
If the credentialtype is set on Certificate then following call is used to create also the TransportSecurityBindingElement:
Creating of the Transport Channel
After the Message Security has been prepared (if required) and appropriate text encoding binding element has been created too, the transport is created and configured. Transport security mode can take following values: None, TransportCredentialsOnly, Transport and TransportWithMessage.
If None or TransportOnly mode is used, the HTTP protocol will be used as the native transport. In the case of Transport and TransportWithMessage, the HTTPS will be used as the native transport.
If no security is set remember (TransportMode = None), the Message security mode must be set on None too. In this case HttpTransportBindingElement is configured as shown bellow.
HttpTransportBindingElement http = new HttpTransportBindingElement();
http.AuthenticationScheme = AuthenticationScheme.Anonymous.
http.ProxyAuthenticationScheme = AuthenticationScheme.Anonymous.
http.Realm = “”;
If the TransportCredentialsOnly mode is set, the message security did not perform any operation. Message interchange will be performed over HTTP unsecured channel. In this scenario the HttpTransportBindingElement will be used again. This time the authentication scheme will be configured either for Basic or Digest or NTLM or Negotiate (Windows) authentication. Note that using of certificates in this mode is not supported.
If the transport with message security mode is used the secured transport element has already been created during preparing of the message security. In this case the HttpsTransportBindingElement is created with the same authentication schema as shown in previous mode(TransportCredentialsOnly). This authentication schema does not support using of certificate.
If the Transport mode is used the HttpsTransportBindingElement is configured to use cerifificate if required. The authentication schema is similar like in previous case (transport with message).
Following picture shows how WCF internally creates the transport element.
Jul 30 2006, 02:36 PM