26

My WFC service uses wsHttpBinding configured with:

<security mode="TransportWithMessageCredential">
    <message establishSecurityContext="True" clientCredentialType="UserName"/>
    <transport clientCredentialType="None" proxyCredentialType="None"/>
</security>

One of our partner is trying to invoke our services using the java the Metro library. They have this problem. I have to set establishSecurityContext="False" for this to work. We did a quick test and it works indeed when I set it to false.

What would be the impacts of not using secure sessions (by setting establishSecurityContext="False"). I'm already running on https. So will I be OK in terms of security? And are there other impacts to consider (performance maybe)?

Thanks

Sylvain
  • 19,099
  • 23
  • 96
  • 145

1 Answers1

45

The difference is that the on an non-SCT (security context token) enabled endpoint, key exchange and validation must be done per call as opposed to being done once and cached for the session and only a SCT passed around in the messages instead. SCTs are based on a symmetric key which makes them much more efficient for signing/encrypting the message. The use of a SCT is very good when the client is expected to make many calls in succession because it alleviates the need to do the exchange and validation of a one off key every time.

What I would recommend is that you just expose another endpoint for clients that don't support SCTs and tell them to use that. Clients that can use SCTs you keep pointed at the default endpoint and keep all the benefits that come with it.

For more on the subject, check out section three of the WS-SecureConversation documentation.

Marcos Dimitrio
  • 6,651
  • 5
  • 38
  • 62
Drew Marsh
  • 33,111
  • 3
  • 82
  • 100
  • excellent recommendation on using a separate endpoint - allows each client type to use the "best" endpoint for them! – marc_s Nov 06 '09 at 06:48
  • 1
    Drew, my clients open and close their channel on each service call. Even if I have secure sessions enabled; they don't get the benefits of that. Is that correct? – Sylvain Nov 09 '09 at 13:43
  • 3
    That's right. If you close, you terminate the session and would lose any benefit. Like I said, it's best if you're pooling the clients yourself or are making multiple calls in succession. Also, I didn't point it out, but keep in mind that using SCTs means that you are using sessions on the server side so keep that in mind. For example, the default value for maxConcurrentSessions is 10. – Drew Marsh Nov 09 '09 at 16:40
  • An old question, but still relevant. SCT does not seem to pass through HTTPS level load balancer, that acts as an SSL terminator, even if SSL off-loading is not used. I.e. Client hits the Load Balancer with SSL, the later terminates and starts a new SSL connection to some machine behind the Load Balancer. This does not work with mutual SSL authentication and neither does it seems to work with SCT. – mark Sep 19 '15 at 00:11