A WCF service can serve many concurrent client applications. However, an increase in the number of concurrent client applications can have a negative impact on the overall performance of the service. This can affect operation response times and the robustness of the service.
Impersonation enables the service to perform activities such as connecting to a database or opening files by using the identity of the client application. There are obvious security issues with impersonation, so you should use it with care; however, it does make auditing a lot easier.
As noted earlier, WCF introduces another option for service authorization in the claims-based model.
You can enforce authorization requirements by using role-based or claims-based authorization models. The following gives information about the role-based model.
The ServiceSecurityContext class represents the security context of the remote party that is being communicated with.
The credentials that are required for communication between a client application and a service are exchanged when the communication is first established. If a client application requires a service to provide its credentials before it accepts response messages, it is often impractical to provide credentials in code on the server side.
Both the client application and the service can request that an incoming message provide the credentials of the sender. The table below discusses issues that are related to credentials
Both transport-based and message-based binding configurations can specify one of six client credential types. Each binding supports some or all of the credential types that are listed below.
Security is an issue that must be addressed in all Web services, not just in the ones that support the WS-* protocols. This table looks at interoperating with various security policies
You can specify the protection level that is required by messages that are sent to operations by using the OperationContract and ServiceContract attributes.