News Stay informed about the latest enterprise technology news and product updates.

.NET 3.0 Roadshow: Instance management, security in WCF

Dr. Dobbs' .NET 3.0 Roadshow devoted much attention to Windows Communication Foundation. Here we look at how to manage and secure the message that WCF sends.

Dr. Dobbs' .NET 3.0 Roadshow featured six sessions devoted to Windows Communication Foundation, as opposed to just four sessions for the remaining three tools in .NET 3.0.

"WCF is by far the most important piece of .NET 3.0," Juval Lowy, principal of IDesign, said when the two-day seminar came to Boston last week. "It's the one [piece] that Microsoft spent the most time on…and it's the one you're most likely to use right away."

After covering the basics of WCF, Lowy led separate sessions on instance management, operations and calls, and transactional services. Michele Leroux Bustamante, chief architect at IDesign, led a talk on WCF Security. Below are summaries of the sessions devoted to instance management and security. (Editor's note: was not present for the sessions about operations and calls and transactional services.)

At the most basic level, WCF sits on top of the CLR, or Common Language Runtime, and sends SOAP messages from a client to a service via a proxy, and vice versa. A proxy is CLR interface and a class representing a service.

Instance management refers to the way a service handles a request from a client. This process is not universal for all instances because applications are too different and service-oriented architecture is too complex, Lowy said.

There are three ways to address instance management. In the first case, per-call service, a new object is created and destroyed for each individual message. Since proxies are used for milliseconds at a time, this method provides an incredible level of scalability and is thus used most often, Lowy said.

In the second method, known as session full, WCF recognizes all similar messages between a client and a service and sends those messages in the same instance. When the proxy closes, the session ends.

The third method, the singleton method, gives all clients the same service instance. This method works well only when explicit sharing is required, Lowy said: "The singleton is the sworn enemy of scalability. Why is that? It is the need to synchronize."

Other instance management techniques include demarcating operations, a technique for starting and terminating a message, and throttling, which limits the responsiveness of clients in certain scenarios to make sure a service does not max out. The former is designated in a service contract, while the latter is defined in a service's config file, Lowy said.

Because Windows Communication Foundation is intended for large-scale Web services applications, security reaches down to the message level -- both the body of a message and its security tokens are encrypted, and all messages go through an intermediary proxy or firewall on the way from the service to the client.

Other security settings within WCF include the following:

  • Client and service certificates, which are required for non-Windows credentials;
  • The use of a security context token in message headers, which eliminates the need to send and reauthenticate a token with each call;
  • The use of ASP.NET roles providers for token authorization, and
  • Algorithms for message encryption and signing. "This is pretty deep. If the default is working, don't touch it," Leroux Bustamante said. "[But] if you're having communication issues, make sure you remember that the algorithms might be the problem."

Ultimately, the level of security placed upon WCF messages depends on whether one is building an intranet application, a business partner application or an Internet app, Leroux Bustamante said.

Developers should use each of those three scenarios as a "boiler plate" and work from there, she noted, adding that code samples for each scenario are available here in Leroux Bustamante's blog.

  • Back to "Special Report from the .NET 3.0 Roadshow"
  • Dig Deeper on Web services and SOA implementations in the .NET Framework

    Start the conversation

    Send me notifications when other members comment.

    Please create a username to comment.