New Release: patterns & practices WCF Security Guide

Today we released our patterns & practices Improving Web Service security: Scenarios and Implementation Guidance for WCF on MSDN.  Using end-to-end application scenarios, this guide shows you how to design and implement authentication and authorization in WCF. You'll learn how to improve the security of your WCF services through prescriptive guidance including guidelines, a Q&A, practices at a glance, and step-by-step how to articles. The guide is the result of a collaborative effort between patterns & practices, WCF team members, and industry experts.

Key Scenarios
Here's the key scenarios:

  • A development team that wants to adopt WCF.
  • A software architect or developer looking to get the most out of WCF, with regard to designing their application security.
  • Interested parties investigating the use of WCF but don’t know how well it would work for their deployment scenarios and constraints.
  • Individuals tasked with learning WCF security.
  • Authentication, authorization, and communication design for your services
  • Solution patterns for common distributed application scenarios using WCF
  • Principles, patterns, and practices for improving key security aspects in services

Contents at a Glance

  • Part I: Security Fundamentals for Web Services
  • Part II: Fundamentals of WCF Security
  • Part III: Intranet Application Scenarios
  • Part IV: Internet Application Scenarios


  • Foreword by Nicholas Allen
  • Foreword by Rockford Lhotka
  • Chapter 1: Security Fundamentals for Web Services
  • Chapter 2: Threats and Countermeasures for Web Services
  • Chapter 3: Security Design Guidelines for Web Services
  • Chapter 4: WCF Security Fundamentals
  • Chapter 5: Authentication, Authorization, and Identities in WCF
  • Chapter 6: Impersonation and Delegation in WCF
  • Chapter 7: Message and Transport Security
  • Chapter 8: Bindings
  • Chapter 9: Intranet - Web to Remote WCF Using Transport Security (Original Caller, TCP)
  • Chapter 10: Intranet - Web to Remote WCF Using Transport Security (Trusted Subsystem, HTTP)
  • Chapter 11: Intranet - Web to Remote WCF Using Transport Security (Trusted Subsystem, TCP)
  • Chapter 12: Intranet - Windows Forms to Remote WCF Using Transport Security (Original Caller, TCP)
  • Chapter 13: Internet - WCF and ASMX Client to Remote WCF Using Transport Security (Trusted Subsystem, HTTP)
  • Chapter 14: Internet - Web to Remote WCF Using Transport Security (Trusted Subsystem, TCP)
  • Chapter 15: Internet – Windows Forms Client to Remote WCF Using Message Security (Original Caller, HTTP)

Our Team

  • J.D. Meier
  • Carlos Farre
  • Jason Taylor
  • Prashant Bansode
  • Steve Gregersen
  • Madhu Sundararajan
  • Rob Boucher

Contributors / Reviewers

  • External Contributors / Reviewers: Andy Eunson; Anil John; Anu Rajendra; Brandon Bohling; Chaitanya Bijwe; Daniel Root; David P. Romig, Sr.; Dennis Rea; Kevin Lam; Michele Leroux Bustamante; Parameswaran Vaideeswaran; Rockford Lhotka; Rudolph Araujo; Santosh Bejugam
  • Microsoft Contributors / Reviewers: Alik Levin; Brandon Blazer; Brent Schmaltz; Curt Smith; David Bradley; Dmitri Ossipov; Jan Alexander; Jason Hogg; Jason Pang; John Steer; Marc Goodner; Mark Fussell; Martin Gudgin; Martin Petersen-Frey; Mike de Libero; Mohammad Al-Sabt; Nobuyuki Akama; Ralph Squillace; Richard Lewis; Rick Saling; Rohit Sharma; Scott Mason; Sidd Shenoy; Sidney Higa; Stuart Kwan; Suwat Chitphakdibodin; T.R. Vishwanath; Todd Kutzke; Todd West; Vijay Gajjala; Vittorio Bertocci; Wenlong Dong; Yann Christensen; Yavor Georgiev
Comments (9)

  1. Thank you for submitting this cool story – Trackback from DotNetShoutout

  2. 张逸 says:


  3. geff zhang says:

    在2月11日,J.D. Meier在其博客上宣布Patterns

  4. Composite Application Guidance for WPF and Silverlight v2.0 (PRISM) is now available. What is PRISM The

  5. gsm ( says:

    Read your blogs. Have to question about end to end Message security (custom username authentication using wshttpbinding).

    Consider this scenario:

    I have WCFService1 that receives the username and password from the windows client.

    Now i need to Call WCFService2 from the WCFService1. Also, i have to pass the username, password received.

    The issue i have is i’m not able to access the password in WCFService1 (received in Custom UsernamePasswordValidator) so that i can pass it to WCFService2 from my business logic. (i call the WCFService2 based on some business logic)

  6. Paul Smith says:

    The UsernameToken profile does in fact allow this using the SendPlainText option – take a look at this excellent post for a complete discussion of UNT’s.

    I think (but haven’t tried it) that you can set the authentication mode to UserNameOverTransport which will provide the desired effect… Let me know if this works for you.

  7. Guia de Segurança em WCF do patterns & practices O guia de segurança em WCF demonstra como desenhar

  8. a {color : #0033CC;} a:link {color: #0033CC;} a:visited.local {color: #0033CC;} a:visited {color : #800080;}

Skip to main content