Security at both Message and Transport Level

  • Article

When using webservices we usually want the messages encrypted and also use SSL. This configuration as of now is not supported out of the box. We could use either tranport or message or a type called TransportWithMessageCredentials.
The 3rd type does not encrypt the soap message at the Message level but only supplies the claims(credentials) at this level. The security is pretty much provided at the Transport Level as the name should suggest.
The only binding that provides this out of the box is the following

<netMsmqBinding>
   <binding name="test">
       <security mode="Both"></security>
    </binding>
</netMsmqBinding>

WsHttpBinding provides a mixed mode but not both.
You can get a full listing here Predefined Bindings.

Incase you do want to use this you have to create a custom binding specifying each element. The behavior element can be used to specify the credentials that the message level security would use and the tranport can use say the server certificate from IIS. The snippet below shows a bare skeleton of this kind of binding.

<customBinding>
     <binding name="Binding1">
           <security authenticationMode="SecureConversation"
                           requireSecurityContextCancellation="true">
           </security>
           <textMessageEncoding messageVersion="Soap12WSAddressing10" writeEncoding="utf-8"/>
           <httpsTransport/>
      </binding>
</customBinding>