WCF Message Security

When using message security, the user credentials and claims are encapsulated in every message using the WS-Security specification to secure messages. This option gives the most flexibility from an authentication perspective. You can use any type of security credentials you want, largely independent of transport, as long as both the client and the service agree.



Use message security for the following scenarios:

• You are sending a message to a WCF service, and the message is likely to be forwarded to other WCF services or may be routed through intermediate systems.
• Your WCF clients are accessing the WCF service over the Internet, it’s possible that other intermediate systems may be used in between, and security is your top consideration.

Using message security has following advantages:

• It provides end-to-end security. Because message security directly encrypts and signs the message, having intermediaries does not break the security.
• It allows partial or selective message encryption and signing, thus improving overall application performance.
• Message security is transport-independent and can be used with any transport protocol.
• It supports a wide set of credentials and claims, including issue token, which enables federated security.

Using message security has following disadvantages:

• This option may reduce performance compared to transport security because each individual message is encrypted and signed.
• It does not support interoperability with older ASP.NET Web Services (ASMX) clients because it requires both the client and service to support WS-Security specifications.