What’s the Difference Between Transport and Message Security in WCF?
Transport security is provided by the transport protocol. The most common example is SSL for the HTTP protocol. Message security is provided by encapsulating user credential and claims in every message. With message security, any protocol can be used.
[This article originally appeared in the Patterns and Practices topic " Chapter 7: Message and Transport Security " at
http://msdn.microsoft.com/en-us/library/ff648863.aspx]
Transport Security
With transport security, the user credentials and claims are passed by using the transport layer. In other words, user credentials are transport-dependent, which allows fewer authentication options compared to message security. Each transport protocol (TCP, IPC, MSMQ, or HTTP) has its own mechanism for passing credentials and handling message protection. The most common approach for this is to use Secure Sockets Layer (SSL) for encrypting and signing the contents of the packets sent over Secure HTTP (HTTPS).
Transport security is used to provide point-to-point security between the two endpoints (service and client). If there are intermediary systems between client and the service, each intermediate point must forward the message over a new SSL connection.
Figure 1
Transport Security
Message Security
When using message security, the user credentials and claims are encapsulated in every message using the WS-Security specification to secure messages. This option gives the most flexibility from an authentication perspective. You can use any type of security credentials you want, largely independent of transport, as long as both the client and service agree.
More information about [[WCF]] security can be found here and here
Other Languages
This article is also available in the following languages: