WCF security is truly a vast topic. The number of details to master is daunting, and intricate relationships exist between the various aspects. The programming model is very complex, and at first you're likely to have an inescapable feeling of navigating a maze. To make things even worse, getting it wrong has severe implications both at the application and the business level. To simplify things, I came up with a declarative security framework for WCF. For the service, I have provided a security attribute (with matching support for the host), and for the client I have provided a few helper classes and secure proxy classes. My declarative framework grossly simplifies WCF security configuration, placing it on a par with other aspects of WCF configuration such as transactions and synchronization. My goal was to provide a declarative model that would be simple to use and would minimize the need to understand the many details of security. As a developer, all you need to do is select the correct scenario (out of the five common scenarios discussed in this chapter), and my framework will automate the configuration. Not only that, but my framework mandates the correct options and enforces my recommendations. At the same time, my model maintains granularity and allows developers to control the underlying configuration if the need arises.
Example 10-19 lists the definition of the
SecurityBehaviorAttribute and the
ServiceSecurity enum. ...