WCF Security

There are two types of security in WCF. One is the security of Data and second is the security of medium through which message travel.

When we talk about the security of data then it is achieved by message security and if we talk about the security of medium through which message travel which is protocol security can be achieved by transport level security.

In this article I defined how to achieve message level security. There of different type of client credential and using this client credential we achieve message security. I am using wsHttpBinding to achieve message level security

Type of client Credential in message security

In this example I am using client credential username.

Following are code to implement the message security using client credential username

Create a class and inherit usernamepasswordvalidator class in it. This class will be found on System.IdentityModel.Selectors and override the method validate and verify the username and password.

using System;
using System.Collections.Generic;
using System.Linq;
using System.Web;
using System.IdentityModel.Selectors;
using System.ServiceModel;

public class Credentioal:UserNamePasswordValidator
    public override void Validate(string userName, string password)
//you can also check from database
        if (userName == "isha" && password == "isha123")
        { }
            throw new FaultException("Wrong userid and pwd");


Go to your web.config file customize the binding and add message security and client credential username.

        <binding name="sec">
          <security mode="Message">
            <message clientCredentialType="UserName"></message>


Now create service tag and add this binding using bindingconfiguration tag which is as follows:-

      <service name="Service">
        <endpoint  address="" binding="wsHttpBinding" contract="IService" bindingConfiguration="sec" >


To implement message level security we need security certificate. So go to your start button and type inetmgr and choose server certificate

		message security in wcf
		Figure 1

Now create the server certificate from the left panel and choose create self-signed certificate and give it proper name as I give certificate name isha

server certificate

Now you can see your certificate here in the list

self signed server certificate

Now go to your web config file again and add this certificate and credential class in it

           <serviceCertificate findValue="isha"
            <userNameAuthentication userNamePasswordValidationMode="Custom" customUserNamePasswordValidatorType="Credentioal, App_Code"/>

          <!-- To avoid disclosing metadata information, set the value below to false before deployment -->
          <serviceMetadata httpGetEnabled="true"/>
          <!-- To receive exception details in faults for debugging purposes, set the value below to true.  Set to false before deployment to avoid disclosing exception information -->
          <serviceDebug includeExceptionDetailInFaults="false"/>


Now execute your service

message security with user name client credential

Now create your client application and add this reference and use the following credential:-

		using System;
using System.Collections.Generic;
using System.Linq;
using System.Web;
using System.Web.UI;
using System.Web.UI.WebControls;

public partial class _Default : System.Web.UI.Page
    protected void Page_Load(object sender, EventArgs e)
        ServiceReference1.ServiceClient sv = new ServiceReference1.ServiceClient();
       sv.ClientCredentials.UserName.UserName = "isha";
       sv.ClientCredentials.UserName.Password = "isha123";


If you do not pass the credential or pass wrong credential it will simply give you error.