WCF Security – Default Security in WSHttpBinding and WCF Test Client

Securitysoapwcf

I recently moved a service from BasicHttpBinding to WSHttpBinding (i.e. SOAP 1.1 -> SOAP 1.2). In WCF, using WSHttpBinding() makes it start using some default security settings. I presume the same default security settings are also used by the WCF Test Client since the client and server can continue talking after switching to the 'secured' WSHttpBinding. In fiddler, I've confirmed this security setup since I can witness more complex security handshakes from the previously dead-simple request-response i.e.

Before: (BasicHttpBinding)

  1. [HttpRequest ] (SOAP Request In Clear)

    [HttpResponse] (SOAP Response In Clear)

After: (WSHttpBinding)

  1. [HttpRequest ] RequestSecurityToken

    [HttpResponse] RequestSecurityTokenResponse

  2. [HttpRequest ] RequestSecurityToken

    [HttpResponse] RequestSecurityTokenResponse

  3. [HttpRequest ] RequestSecurityTokenResponse

    [HttpResponse] RequestSecurityTokenResponseCollection

  4. [HttpRequest ] EncryptedData

    [HttpResponse] EncryptedData

  5. [HttpRequest ] EncryptedData (actual application level request)

    [HttpResponse] EncryptedData (actual application level response)

So I can safely assume security is being applied. Now to the questions:

Question 1: What are the security settings?
I never told WCF of any membership provider. In fact I don't have any table (SQL or XML) of any usernames <-> passwords. So what kind of authentication is happening? Although WCF Test Client can authenticate as above, SoapUI doesn't pick up these Microsoft .NET defaults and has issues. SoapUI attempts clear text communications and then the server responds with an incorrect security token error.

Question 2: What is the most commonly practiced security model for SOAP 1.2?
Is it via certificates or username passwords or digest or _____? How are those credentials stored (SQL/XML?) and configured on the WCF server side?

Best Answer

Well, the famous WSHTTPBinding. It causes a lot of pain for non-.NET platforms.

First of all, even if SOAP 1.2 is a standard, WSHTTPBinding is a Microsoft implementation over SOAP 1.2 and by experience, it's not as easy as "Our product support SOAP 1.2 so it'll work with WCF & WSHTTPBinding services, no problem!".

Answer 1

There are two main security settings:

  • Message Security: the message is partially encrypted, Default
  • Transport Security: uses SSL to secure the channel

About authentication, WSHTTPBinding uses Windows credentials (NTLM or Kerberos) by default.

Answer 2

It depends, but a short answer is:

  • You need to re-route the messages or inspect them: use Message Security
  • You need point-to-point channels and can secure them with certificates: use Transport Security
  • Your clients and servers share the same authentication platform, use Windows authentication
  • You need an open authentication for externals clients, or cross-platform, use Username authentication

About Username authentication, there are different configurations. You can store the credentials in an SQL database, yes (we do this in our company for some services).

Some simple cases: Improving Web Services Security: Scenarios and Implementation Guidance for WCF

Related Topic