Message Security with an Anonymous Client
The following scenario shows a client and service secured by Windows Communication Foundation (WCF) message security. A design goal is to use message security rather than transport security, so that in the future it can support a richer claims-based model. For more information about using rich claims for authorization, see Managing Claims and Authorization with the Identity Model.
For a sample application, see Message Security Anonymous.
| Characteristic | Description |
|---|---|
|
Security Mode |
Message |
|
Interoperability |
WCF only |
|
Authentication (Server)
|
Initial negotiation requires server authentication, but not client authentication |
|
Authentication (Client) |
None |
|
Integrity |
Yes, using shared security context |
|
Confidentiality |
Yes, using shared security context |
|
Transport |
HTTP |
Service
The following code and configuration are meant to run independently. Do one of the following:
-
Create a stand-alone service using the code with no configuration.
-
Create a service using the supplied configuration, but do not define any endpoints.
Code
The following code shows how to create a service endpoint that uses message security.
// Create the binding. WSHttpBinding binding = new WSHttpBinding(); binding.Security.Mode = SecurityMode.Message; binding.Security.Message.ClientCredentialType = MessageCredentialType.None; // Create the URI for the endpoint. Uri httpUri = new Uri("http://localhost/Calculator"); // Create the service host and add an endpoint. ServiceHost myServiceHost = new ServiceHost(typeof(ServiceModel.Calculator), httpUri); myServiceHost.AddServiceEndpoint( typeof(ServiceModel.ICalculator), binding, ""); // Specify a certificate to authenticate the service. myServiceHost.Credentials.ServiceCertificate.SetCertificate( StoreLocation.LocalMachine, StoreName.My, X509FindType.FindByThumbprint, "00000000000000000000000000000000"); // Open the service. myServiceHost.Open(); Console.WriteLine("Listening..."); Console.ReadLine(); // Close the service. myServiceHost.Close();
Configuration
The following configuration can be used instead of the code. The service behavior element is used to specify a certificate that is used to authenticate the service to the client. The service element must specify the behavior using the behaviorConfiguration attribute. The binding element specifies that the client credential type is None, allowing anonymous clients to use the service.
<?xml version="1.0" encoding="utf-8"?>
<configuration>
<system.serviceModel>
<behaviors>
<serviceBehaviors>
<behavior name="ServiceCredentialsBehavior">
<serviceCredentials>
<serviceCertificate findValue="contoso.com"
storeLocation="LocalMachine"
storeName="My" />
</serviceCredentials>
</behavior>
</serviceBehaviors>
</behaviors>
<services>
<service behaviorConfiguration="ServiceCredentialsBehavior"
name="ServiceModel.Calculator">
<endpoint address="http://localhost/Calculator"
binding="wsHttpBinding"
bindingConfiguration="WSHttpBinding_ICalculator"
name="CalculatorService"
contract="ServiceModel.ICalculator" />
</service>
</services>
<bindings>
<wsHttpBinding>
<binding name="WSHttpBinding_ICalculator" >
<security mode="Message">
<message clientCredentialType="None" />
</security>
</binding>
</wsHttpBinding>
</bindings>
<client />
</system.serviceModel>
</configuration>
Client
The following code and configuration are meant to run independently. Do one of the following:
-
Create a stand-alone client using the code (and client code).
-
Create a client that does not define any endpoint addresses. Instead, use the client constructor that takes the configuration name as an argument. For example:
Code
The following code creates an instance of the client. The binding uses message mode security, and the client credential type is set to none.
// Create the binding. WSHttpBinding myBinding = new WSHttpBinding(); myBinding.Security.Mode = SecurityMode.Message; myBinding.Security.Message.ClientCredentialType = MessageCredentialType.None; // Create the endpoint address. EndpointAddress ea = new EndpointAddress("http://localhost/Calculator"); // Create the client. CalculatorClient cc = new CalculatorClient(myBinding, ea); // Begin using the client. try { cc.Open(); Console.WriteLine(cc.Add(200, 1111)); Console.ReadLine(); // Close the client. cc.Close(); }
Configuration
The following code configures the client.
<?xml version="1.0" encoding="utf-8"?>
<configuration>
<system.serviceModel>
<bindings>
<wsHttpBinding>
<binding name="WSHttpBinding_ICalculator" >
<security mode="Message">
<message clientCredentialType="None" />
</security>
</binding>
</wsHttpBinding>
</bindings>
<client>
<endpoint address="http://machineName/Calculator"
binding="wsHttpBinding"
bindingConfiguration="WSHttpBinding_ICalculator"
contract="ICalculator"
name="WSHttpBinding_ICalculator">
<identity>
<dns value="contoso.com" />
</identity>
</endpoint>
</client>
</system.serviceModel>
</configuration>
See Also
Build Date:
