Here is a list of items to consider while designing a WCF web service. These are based on many reference articles including msdn and based on my current exposure and experience to WCF.
It is important to understnad teh WCF framework and options it offers. Implemetnation is the easiest part. These may change as per your requirement.
WCF Decision Points
• None. Turns security off.
• Transport. Uses transport security for mutual authentication and message protection.
• Message. Uses message security for mutual authentication and message protection.
• Both. Allows you to supply settings for transport and message-level security (only MSMQ supports this).
• TransportWithMessageCredential. Credentials are passed with the message and message protection and server authentication are provided by the transport layer.
• TransportCredentialOnly. Client credentials are passed with the transport layer and no message protection is applied
• Message security mode, on the other hand, uses WS-Security (and other specifications) to implement transfer security. Because the message security is applied directly to the SOAP messages and is contained inside the SOAP envelopes, together with the application data, it has the advantage of being transport protocol-independent, more extensible, and ensuring end-to-end security (versus point-to-point); it has the disadvantage of being several times slower than transport security mode because it has to deal with the XML nature of the SOAP messages.
• Transport security mode uses a transport-level protocol, such as HTTPS, to achieve transfer security. Transport mode has the advantage of being widely adopted, available on many platforms, and less computationally complex. However, it has the disadvantage of securing messages only from point-to-point.
Client Credential Type
Following options are based on the type of bindings used.
Recommended Protection Level: EncryptAndSign
Recommended Bindings: WsHttpBinding
There are many options available which can be configured at a later stage. Some of the recommended Bindings in addition to WsHttpBinding are given below. These can be configured as different endpoints when it is required.
- Self Hosted
- Windows Service
- IIS 5.1, 6.0, 7.0 (Depends on versions of OS)
- WAS (works only on Vista or Windows 2008)
o 6.0 on windows server 2003
Process health monitoring.
o 7.0 or WAS on windows server 2008
Same benefits as 5.1 and 6.0
HTTP, TCP, Named Pipes and MSMQ
- Windows Service
o Service process lifetime controlled by the operating system, not message-activated.
o Supported by all versions of Windows.
o Secure environment.
o Supports HTTP, TCP, Named Pipes and MSMQ
o Deployment: Services must be installed with the .NET Framework Installutil.exe utility or through a custom action in an installer package.
Following are some benefits of using Message Contracts instead of directly using Data Contracts.
- More controls over the SOAP Messages
- Easier to update the Operation signatures like additional parameters during before any version of WCF service is released.
- More control over how WSDL is generated.
Consider using Message Contracts based on business need.
Per-Call services are most preferred for scalability.
Request-Reply operations are preferred rather than call back or one way operations.
Fault contract details to be decided during design time.
Recommended transaction settings if not a distributed environment is [TransactionFlow(TransactionFlowOption.NotAllowed)]
Use default ConcurrencyMode.Single and leave thread synchronization to WCF. This is recommended along with Per-Call instantiation.
Versioning needs to be done. Details to be decided during design phase.
Use existing Logging mechanisms used in your apps or use Log4Net.
Out of the box WCF Client Proxies
Following proxies can be provided to customers for easy development
- .Net proxy
- Java proxy