<message> of <netHttpBinding>

Defines the settings for message-level security of the <netHttpBinding>.

<configuration>
  <system.serviceModel>
    <bindings>
      <netHttpBinding>
        <binding>
          <security>
            <message>

Syntax

<message algorithmSuite="Basic128/Basic192/Basic256/Basic128Rsa15/Basic256Rsa15/TripleDes/TripleDesRsa15/Basic128Sha256/Basic192Sha256/TripleDesSha256/Basic128Sha256Rsa15/Basic192Sha256Rsa15/Basic256Sha256Rsa15/TripleDesSha256Rsa15"
         clientCredentialType="UserName/Certificate" />

Attributes and Elements

The following sections describe attributes, child elements, and parent elements

Attributes

Attribute Description
algorithmSuite Sets the message encryption and key-wrap algorithms. This attribute is of type SecurityAlgorithmSuite, which specifies the algorithms and the key sizes. These algorithms map to those specified in the Security Policy Language (WS-SecurityPolicy) specification.

The default value is Basic256.
clientCredentialType Specifies the type of credential to be used when performing client authentication using message-based security. The default is UserName.

clientCredentialType Attribute

Value Description
UserName - Requires the client be authenticated to the server with a UserName credential. This credential needs to be specified using the <clientCredentials> element.
- WCF does not support sending a password digest or deriving keys using passwords and using such keys for message security. Therefore, WCF enforces that the transport be secured when using UserName credentials. For the basicHttpBinding, this requires setting up an SSL channel.
Certificate Requires that the client be authenticated to the server using a certificate. The client credential in this case needs to be specified using <clientCredentials> and the <clientCertificate>. In addition, when using message security mode, the client needs to be provisioned with the service certificate. The service credential in this case needs to be specified using ClientCredentials class or ClientCredentials behavior element and specifying the service certificate using the <serviceCertificate> element of serviceCredentials.

Child Elements

None

Parent Elements

Element Description
<security> element of <netHttpBinding> Defines the security capabilities for the <netHttpBinding> Element.

Example

This sample demonstrates how to implement an application that uses the basicHttpBinding and message security. In the following configuration example for a service, the endpoint definition specifies the basicHttpBinding and references a binding configuration named Binding1. The certificate that the service uses to authenticate itself to the client is set in the behaviors section of the configuration file under the serviceCredentials element. The validation mode that applies to the certificate that the client uses to authenticate itself to the service is also set in the behaviors section under the clientCertificate element.

The same binding and security details are specified in the client configuration file.

<system.serviceModel>
  <services>
    <service name="Microsoft.ServiceModel.Samples.CalculatorService"
             behaviorConfiguration="CalculatorServiceBehavior">
      <host>
        <baseAddresses>
          <add baseAddress="http://localhost:8000/ServiceModelSamples/service" />
        </baseAddresses>
      </host>
      <!-- this endpoint is exposed at the base address provided by host: http://localhost:8000/ServiceModelSamples/service  -->
      <endpoint address=""
                binding="basicHttpBinding"
                bindingConfiguration="Binding1"
                contract="Microsoft.ServiceModel.Samples.ICalculator" />
      <!-- the mex endpoint is exposed at http://localhost:8000/ServiceModelSamples/service/mex -->
      <endpoint address="mex"
                binding="mexHttpBinding"
                contract="IMetadataExchange" />
    </service>
  </services>
  <bindings>
    <basicHttpBinding>
      <!-- This configuration defines the SecurityMode as Message and
           the clientCredentialType as Certificate. -->
      <binding name="Binding1" >
        <security mode = "Message">
          <message clientCredentialType="Certificate" />
        </security>
      </binding>
    </basicHttpBinding>
  </bindings>
  <!--For debugging purposes set the includeExceptionDetailInFaults attribute to true-->
  <behaviors>
    <serviceBehaviors>
      <behavior name="CalculatorServiceBehavior">
        <serviceMetadata httpGetEnabled="True" />
        <serviceDebug includeExceptionDetailInFaults="False" />
        <!-- The serviceCredentials behavior allows one to define a service certificate.
             A service certificate is used by a client to authenticate the service and provide message protection.
             This configuration references the "localhost" certificate installed during the setup instructions. -->
        <serviceCredentials>
          <serviceCertificate findValue="localhost"
                              storeLocation="LocalMachine"
                              storeName="My"
                              x509FindType="FindBySubjectName" />
          <clientCertificate>
            <!-- Setting the certificateValidationMode to PeerOrChainTrust means that if the certificate
                 is in the user's Trusted People store, then it will be trusted without performing a
                 validation of the certificate's issuer chain. This setting is used here for convenience so that the
                 sample can be run without having to have certificates issued by a certification authority (CA).
                 This setting is less secure than the default, ChainTrust. The security implications of this
                 setting should be carefully considered before using PeerOrChainTrust in production code. -->
            <authentication certificateValidationMode="PeerOrChainTrust" />
          </clientCertificate>
        </serviceCredentials>
      </behavior>
    </serviceBehaviors>
  </behaviors>
</system.serviceModel>

See also