Business Connectivity Services security overview in SharePoint Server 2010

When a user accesses external data from a Web browser, three systems are involved: the logged on user’s client computer, the Web server farm, and the external system.

1. From Web browsers, users typically interact with external data in external lists or by using Web Parts. 
2. The BDC Server Runtime on front-end servers uses data from the Business Data Connectivity service to connect to and execute operations on external systems.
3.  The Secure Store Service securely stores credential sets for external systems and associates those credential sets to individual or group identities.
4. The Security Token Service is a Web service that responds to authentication requests by issuing security tokens made up of identity claims that are based on user account information.

The following table describes the authentication modes of the Microsoft Business Connectivity Services:

Authentication mode	Description
PassThrough	Passes the credentials of the logged-on user to the external system. This requires that the user’s credentials are known to the external system. If the Web application is not configured to authenticate with Windows credentials, the NT Authority/Anonymous Logon account is passed to the external system rather than the user's credentials.
RevertToSelf	When the user is accessing external data from a Web browser, this mode ignores the user’s credentials and sends the application pool identity account under which the BCS runtime is running on the Web server to the external system. When the user is accessing external data from an Office client application, this mode is equivalent to PassThrough mode, because Microsoft Business Connectivity Services running on the client will be running under the user’s credentials. This mode is called BDC Identity in the Microsoft Business Connectivity Services administration pages and in SharePoint Designer 2010.
WindowsCredentials	For external Web services or databases, this mode uses a Secure Store Service to map the user’s credentials to a set of Windows credentials on the external system.
Credentials	For an external Web service, this mode uses a Secure Store Service to map the user’s credentials to a set of credentials that are supplied by a source other than Windows and that are used to access external data. The Web service should use basic or digest authentication when this mode is used. Important: To help preserve security in this mode, we recommend that the connection between the Microsoft Business Connectivity Services and the external system should be secured by using Secure Sockets Layer (SSL) or Internet Protocol Security (IPSec).
RDBCredentials	For an external database, this mode uses a Secure Store Service to map the user’s credentials to a set of credentials that are supplied by a source other than Windows. To help preserve security in this mode, we recommend that the connection between the Microsoft Business Connectivity Services and the external system should be secured by using Secure Sockets Layer (SSL) or IPSec.
DigestCredentials	For a WCF Web service, this mode uses a Secure Store Service to map the user’s credentials to a set of credentials using Digest authentication.