Transport Security
When using transport security, the user credentials and claims are passed by
using the transport layer. In other words, user credentials are
transport-dependent, which allows fewer authentication options compared to
message security. Each transport protocol (TCP, IPC, MSMQ, or HTTP) has its own
mechanism for passing credentials and handling message protection. The most
common approach for this is to use Secure Sockets Layer (SSL) for encrypting and
signing the contents of the packets sent over Secure HTTP (HTTPS). Transport
security is used to provide point-to-point security between the two endpoints
(service and client).
Use transport security in the following scenarios:
- You are sending a message directly from
your application to a WCF service and the message will not be routed through
intermediate systems.
- Both the service and the client are
located in an intranet.
Using transport security offers the following
advantages:
- It provides interoperability, meaning
that communicating parties do not need to understand WS-Security
specifications.
- It may result in better performance.
- Hardware accelerators can be used to
further improve the performance
Message Security
When using message security, the user credentials and claims are encapsulated in
every message using the WS-Security specification to secure messages. This
option gives the most flexibility from an authentication perspective. You can
use any type of security credentials you want, largely independent of transport,
as long as both the client and service agree.
Use message security in the following scenarios:
- You are sending a message to a WCF
service, and the message is likely to be forwarded to other WCF services or
may be routed through intermediate systems.
- Your WCF clients are accessing the WCF
service over the Internet and messages may be routed through intermediate
systems.
Using message security offers the following
advantages:
- It provides end-to-end security. Because
message security directly encrypts and signs the message, having
intermediaries does not break the security.
- It allows partial or selective message
encryption and signing, thus improving overall application performance.
- Message security is transport-independent
and therefore can be used with any transport protocol.
- It supports a wide set of credentials and
claims, including the issue token that enables federated security.