Security Context

Security contexts enable the establishment of a message security context according to WS-SecureConversation. That context can then be used to secure messages as an alternative to one-shot security where the credentials are transmitted for every request. The established security context is a more efficient method of securing messages when multiple messages are exchanged.

Security contexts require the presence of bootstrap security credentials that are used to secure the messages sent in the context. The WS_KERBEROS_APREQ_MESSAGE_SECURITY_BINDING, WS_XML_TOKEN_MESSAGE_SECURITY_BINDING, and WS_USERNAME_MESSAGE_SECURITY_BINDING structures may be used for this purpose.

Security contexts are a message security feature and are configured by way of message security bindings.

Client

On the client side, the security context is tied to a particular channel. It is configured using the WS_SECURITY_CONTEXT_MESSAGE_SECURITY_BINDING. Behavior and lifetime of the context are determined by the channel. When the first message is sent on the channel, the security context is established. After that, the context is proactively renewed at a configurable interval. If the server returns a fault indicating that the context requires renewal, the context is renewed when the next message is sent. If the channel is in the open state, the context is canceled by a cancel message when the channel is closed.

Server

On the server, a security context is configured the same way as on the client. However, it is not tied to any particular channel. Instead, all channels created for the listener that has the WS_SECURITY_CONTEXT_MESSAGE_SECURITY_BINDING set are capable of receiving messages with any of the security contexts that were established on channels of that listener.

When a message arrives on a channel that supports security contexts, the context used by that message can by obtained by calling the WsGetMessageProperty function with the WS_MESSAGE_PROPERTY_SECURITY_CONTEXT. The retrieved value can be used with WsRevokeSecurityContext and WsGetSecurityContextProperty.

Metadata

The WS_SECURITY_CONTEXT_MESSAGE_SECURITY_BINDING_CONSTRAINT structure is used to extract the security context policy from metadata. For more information, see Metadata Import.

The following API elements are used with security contexts.

Enumeration Description
WS_SECURITY_CONTEXT_PROPERTY_ID Identifies a property of a security context object.

 

Function Description
WsGetSecurityContextProperty Gets a property of the specified security context.
WsRevokeSecurityContext Revokes a security context.

 

Handle Description
WS_SECURITY_CONTEXT An opaque type used to reference a security context object.

 

Structure Description
WS_SECURITY_CONTEXT_PROPERTY Defines a property of a WS_SECURITY_CONTEXT.