Message Security with an Anonymous Client
The following scenario shows a client and service secured by Windows Communication Foundation (WCF) message security. A design goal is to use message security rather than transport security, so that in the future it can support a richer claims-based model. For more information about using rich claims for authorization, see Managing Claims and Authorization with the Identity Model.
For a sample application, see Message Security Anonymous.
Characteristic | Description |
---|---|
Security Mode |
Message |
Interoperability |
WCF only |
Authentication (Server) |
Initial negotiation requires server authentication, but not client authentication |
Authentication (Client) |
None |
Integrity |
Yes, using shared security context |
Confidentiality |
Yes, using shared security context |
Transport |
HTTP |
Service
The following code and configuration are meant to run independently. Do one of the following:
Create a stand-alone service using the code with no configuration.
Create a service using the supplied configuration, but do not define any endpoints.
Code
The following code shows how to create a service endpoint that uses message security.
' Create the binding.
Dim binding As New WSHttpBinding()
binding.Security.Mode = SecurityMode.Message
binding.Security.Message.ClientCredentialType = _
MessageCredentialType.None
' Create the URI for the endpoint.
Dim httpUri As New Uri("https://localhost/Calculator")
' Create the service host and add an endpoint.
Dim myServiceHost As New ServiceHost(GetType(ServiceModel.Calculator), httpUri)
myServiceHost.AddServiceEndpoint(GetType(ServiceModel.ICalculator), binding, "")
' Specify a certificate to authenticate the service.
myServiceHost.Credentials.ServiceCertificate.SetCertificate(StoreLocation.LocalMachine, _
StoreName.My, X509FindType.FindByThumbprint, "00000000000000000000000000000000")
' Open the service.
myServiceHost.Open()
Console.WriteLine("Listening...")
Console.ReadLine()
' Close the service.
myServiceHost.Close()
// Create the binding.
WSHttpBinding binding = new WSHttpBinding();
binding.Security.Mode = SecurityMode.Message;
binding.Security.Message.ClientCredentialType =
MessageCredentialType.None;
// Create the URI for the endpoint.
Uri httpUri = new Uri("https://localhost/Calculator");
// Create the service host and add an endpoint.
ServiceHost myServiceHost =
new ServiceHost(typeof(ServiceModel.Calculator), httpUri);
myServiceHost.AddServiceEndpoint(
typeof(ServiceModel.ICalculator), binding, "");
// Specify a certificate to authenticate the service.
myServiceHost.Credentials.ServiceCertificate.SetCertificate(
StoreLocation.LocalMachine,
StoreName.My,
X509FindType.FindByThumbprint,
"00000000000000000000000000000000");
// Open the service.
myServiceHost.Open();
Console.WriteLine("Listening...");
Console.ReadLine();
// Close the service.
myServiceHost.Close();
Configuration
The following configuration can be used instead of the code. The service behavior element is used to specify a certificate that is used to authenticate the service to the client. The service element must specify the behavior using the behaviorConfiguration attribute. The binding element specifies that the client credential type is None, allowing anonymous clients to use the service.
<?xml version="1.0" encoding="utf-8"?>
<configuration>
<system.serviceModel>
<behaviors>
<serviceBehaviors>
<behavior name="ServiceCredentialsBehavior">
<serviceCredentials>
<serviceCertificate findValue="contoso.com"
storeLocation="LocalMachine"
storeName="My" />
</serviceCredentials>
</behavior>
</serviceBehaviors>
</behaviors>
<services>
<service behaviorConfiguration="ServiceCredentialsBehavior"
name="ServiceModel.Calculator">
<endpoint address="https://localhost/Calculator"
binding="wsHttpBinding"
bindingConfiguration="WSHttpBinding_ICalculator"
name="CalculatorService"
contract="ServiceModel.ICalculator" />
</service>
</services>
<bindings>
<wsHttpBinding>
<binding name="WSHttpBinding_ICalculator" >
<security mode="Message">
<message clientCredentialType="None" />
</security>
</binding>
</wsHttpBinding>
</bindings>
<client />
</system.serviceModel>
</configuration>
Client
The following code and configuration are meant to run independently. Do one of the following:
Create a stand-alone client using the code (and client code).
Create a client that does not define any endpoint addresses. Instead, use the client constructor that takes the configuration name as an argument. For example:
Dim cc As New CalculatorClient("EndpointConfigurationName")
CalculatorClient cc = new CalculatorClient("EndpointConfigurationName");
Code
The following code creates an instance of the client. The binding uses message mode security, and the client credential type is set to none.
' Create the binding.
Dim myBinding As New WSHttpBinding()
myBinding.Security.Mode = SecurityMode.Message
myBinding.Security.Message.ClientCredentialType = MessageCredentialType.None
' Create the endpoint address.
Dim ea As New EndpointAddress("https://localhost/Calculator")
' Create the client.
Dim cc As New CalculatorClient(myBinding, ea)
' Begin using the client.
Try
cc.Open()
Console.WriteLine(cc.Add(100, 11))
Console.ReadLine()
' Close the client.
cc.Close()
Catch tex As TimeoutException
Console.WriteLine(tex.Message)
cc.Abort()
Catch cex As CommunicationException
Console.WriteLine(cex.Message)
cc.Abort()
Finally
Console.WriteLine("Closed the client")
Console.ReadLine()
End Try
// Create the binding.
WSHttpBinding myBinding = new WSHttpBinding();
myBinding.Security.Mode = SecurityMode.Message;
myBinding.Security.Message.ClientCredentialType =
MessageCredentialType.None;
// Create the endpoint address.
EndpointAddress ea = new
EndpointAddress("https://localhost/Calculator");
// Create the client.
CalculatorClient cc =
new CalculatorClient(myBinding, ea);
// Begin using the client.
try
{
cc.Open();
Console.WriteLine(cc.Add(200, 1111));
Console.ReadLine();
// Close the client.
cc.Close();
}
Configuration
The following code configures the client.
<?xml version="1.0" encoding="utf-8"?>
<configuration>
<system.serviceModel>
<bindings>
<wsHttpBinding>
<binding name="WSHttpBinding_ICalculator" >
<security mode="Message">
<message clientCredentialType="None" />
</security>
</binding>
</wsHttpBinding>
</bindings>
<client>
<endpoint address="http://machineName/Calculator"
binding="wsHttpBinding"
bindingConfiguration="WSHttpBinding_ICalculator"
contract="ICalculator"
name="WSHttpBinding_ICalculator">
<identity>
<dns value="contoso.com" />
</identity>
</endpoint>
</client>
</system.serviceModel>
</configuration>
See Also
Concepts
Security Overview
Distributed Application Security
Service Identity and Authentication