Export (0) Print
Expand All

Transport Level Security

.NET Framework 4

Applies to: Windows Communication Foundation

Published: June 2011

Author: Robert Dizon

This topic contains the following sections.

E-Commerce is successful because users are confident that it is safe to send credit card information over the Internet. This security is due to the success of 128-Bit Secure Socket Layer (SSL), which provides encryption and decryption between the user's browser and the web page that hosts the secure site. SSL is an example of transport-level security. The following diagram illustrates how SLL secures the channel between the consumer and the provider.

Referenced Image

The following figure illustrates the steps that occur to establish transport-level security.

Referenced Image

Here are the steps.

  1. The service consumer establishes a secure channel with either the service broker or the service provider that encrypts messages.

  2. The service broker or the service provider manages authentication or authorization. If routing services are enabled, it is possible that multiple brokers or service providers may participate.

  3. Messages sent to legacy providers use secure legacy channels.

  4. For additional information on transport-layer security, see "Transport Security" on MSDN at http://msdn.microsoft.com/en-us/library/ms733043.aspx.

  5. For example of how to use transport-layer security, see "Web to Remote WCF Using Transport Security" on MSDN at http://msdn.microsoft.com/en-us/library/ff650091.aspx.

In terms of web services, SSL is still an effective way to secure the communication channel between the user the Internet site. However, it is an expensive approach because SSL uses multiple connections for encryption and decryption. Instead, many enterprises have adopted the newer WS-Security standard.

One of the most widely used capabilities in SOA messaging is content based routing. This approach enhances transport-level security because it hides the web service's location. In addition, it isolates specific services according to their content payload. As an example, assume that you have a project that requires message handling. Messages are routed to either Europe or Asia, depending on their compliance with each continent's legal requirements. Messages include encrypted compliance numbers, which control how the messages are routed. The following figure illustrates how the WCF routing service receives a message and then sends it to either WCF Site 1, or WCF Site 2.

Referenced Image

In order to see how content-based routing works, download the following sample code. This code creates three WCF service application sites.

http://company-550eb0a:7070/Service1.svc - Download: WCFServiceApplicationA.zip

http://company-550eb0a:8080/Service2.svc - Download: WCFServiceApplicationB.zip

http://company-550eb0a:9090/Service3.svc - Download: WCFServiceApplicationC.zip

You can use the wcftestclient.exe tool to test the sites. To test the first site, invoke the GetData service. Giving it a value of 1 simply returns a string of WS #1: 1 (Web Service #1: Value 1). The same code is also in the other WCF hosted sites. They return WS #2: 1 and WS #3: 1;

The following figure illustrates the WCF test client results when the WCF web service is hosted on port 7070.

Referenced Image

The following figure illustrates the WCF test client results when the WCF web service is hosted on port 7070, passed a value of 2, and receives a result string returned from the re-routed web service hosted in port 8080.

Referenced Image

To implement content based routing, first create two web services clients inside of the web service that is hosted in port 7070. If this web service finds the value "2", it passes that value to the GetData web service that is hosted in port 8080. If the web service hosted in port 7070 finds the value of "3", it passes that value to the web service hosted in port 9090.

The following code controls the message routing.

public string GetData(int value)
        // if the user enters 2 we need to pass this value to web service residing in http://company-550eb0a:8080/Service2.svc
        if (value == 2)
            WCFServiceApplicationB.Service1Client wsPort8080 = new WCFServiceApplicationB.Service1Client();
            return string.Format("WS #2: {0}", value);

       // if the user enters 3 we need to pass this value to web service residing in http://company-550eb0a:9090/Service3.svc
       if (value == 3)
           WCFServiceApplicationC.Service3Client wsPort9090 = new WCFServiceApplicationC.Service3Client();
           return string.Format("WS #3: {0}", value);
       return string.Format("WS #1: {0}", value);

Although it is beyond the scope of this article, the current version of the WCF 4.0 Routing Service offers many advantages for content-based routing. This service is a SOAP service brokers that uses a variety of filters to steer traffic to specific endpoints. For more information, see Richard Seroter's multi-part article, "WCF Routing Service Deep Dive” at http://seroter.wordpress.com/2011/01/09/wcf-routing-service-deep-dive-part-icomparing-to-biztalk-server/

Previous article: The Architectural Framework of a Secure Web Service

Continue on to the next article: Message Level Security

© 2014 Microsoft