Geeks With Blogs

News Please visit me at my new blog!!

profile for Aligned at Stack Overflow, Q&A for professional and enthusiast programmers
"free in Christ Jesus from the law of sin and death." Romans 8:2 (ESV) Check out the Falling Plates video on YouTube.
more about the Gospel
And then listen to Francis Chan speaking at LifeLight in SD.



Programming and Learning from SD

Turning the establishSecurityContext off (it’s on by default) was recommended in the IAC course on Pluralsight by Dominick Baier in the Security Best Practices module, State Management when making lots of short calls.

“Other protocols like the WS 2007 Federation HttpBinding, they support state and unfortunately it’s turned on by default…. [uses] WS-Secure Conversation which is kind of heavy handed. It is quite complex as well and it has some performance implications.” ~ Pluralsight video

http://www.code-magazine.com/article.aspx?quickid=0611051&page=2 also mentions turning it off for if you are making a single call.

“If you are using the WSHttpBinding and do not need to establish a secure session, set the EstablishSecurityContext property to false.” TransportWithMessageCredential “uses the transport layer to secure the message transfer, while every message includes the rich credentials other services need. This combines the performance advantage of transport security with the rich credentials advantage of message security. This is available with the following bindings: BasicHttpBinding, WSFederationHttpBinding, NetPeerTcpBinding, and WSHttpBinding.”~http://msdn.microsoft.com/en-us/library/ms731925.aspx

http://stackoverflow.com/questions/1683724/what-are-the-impacts-of-setting-establishsecuritycontext-false-if-i-use-

From http://forums.asp.net/t/1760793.aspx/1?establishSecurityContext+false+ ~ “What are the disadvantages of setting establishedSecurityContext= "false"” Answer: “Actually, if you set establishSecurityContext to false, key exchange and validation must be done per call instead of being done once and cached for the session… The use of security tokens is good when the client is expected to make several/many calls in a row because you don't have to do key exchange and validation every call. Note that you have to keep the WCF connection (channel) open to benefit from enabling this setting.”

http://leastprivilege.com/2012/06/19/session-token-support-for-asp-net-web-api/ ~ it’s not necessarily for WebApi

<system.serviceModel> 
 <bindings>       
  <ws2007FederationHttpBinding>             
    <binding>                 
      <security mode="TransportWithMessageCredential">                     
        <message establishSecurityContext="false" />                 
      </security>             
    </binding>         
  </ws2007FederationHttpBinding>     
 </bindings>
</system.serviceModel>

So my take on if you should turn this off is that it depends on your situation. I would use WSHttpBinding and turn it off or have SSL on the communication. I’m still not sure if it affects WebApi and if I would benefit from turning this off in my MVC application that makes multiple calls to WebApi through the jQuery get and post, but I’m going to turn it off for now.

Posted on Wednesday, June 12, 2013 11:26 AM MVC , WCF | Back to top


Comments on this post: When to set ws2007FederationHttpBinding establishSecurityContext to false

No comments posted yet.
Your comment:
 (will show your gravatar)


Copyright © Aligned | Powered by: GeeksWithBlogs.net