0

There's been so many topics I've read on this, but I have to just be 100% sure I'm going in the right direction with my scenario.

The main thing I'm wanting to do is lock down a WCF service (.NET 4.5) to a single web application (potentially more in the future though).

So,

Web Application (logged in via .NET Membership) -> WCF Service -> Data layer -> Database

The WCF Service should not allow access via anywhere but the Web Application.

What's the best way of achieving this? I've read about Username/Password validation to the WCF Service, but obviously you don't store the Password in a Session object once the user has logged into the Web Application, so this doesn't make much sense to me. Is the only way using a Certificate and the WCF Service checking that the Web App has that Certificate when being called?

Any help in lamens terms is greatly appreciated, I feel like I'm stuck in a WCF Security nightmare.

Chris Dixon
  • 9,147
  • 5
  • 36
  • 68

2 Answers2

2

You have to provide some sort of credential. A certificate is one possibility; another is to use Windows authentication in the back end WCF service, and only allow access to the service account of the Application Pool that hosts your Web Application.

Joe
  • 122,218
  • 32
  • 205
  • 338
  • But to send that Windows username/password through from the .NET Web Application, does a Certificate still have to be used in order for the Windows authentication credentials to be kept secure? – Chris Dixon Sep 18 '12 at 09:58
  • If you configure Windows authentication between the Web Application and the Web Service, no password is sent and no certificate is needed. – Joe Sep 18 '12 at 10:15
  • Any ideas how to do it for an Api that is accessed by a mobile app. And limit the access of the api only to the app. – Vikneshwar Dec 29 '15 at 05:21
0

You need to authenticate the web application by requesting credentials, so that your WCF service is secure.

Scott
  • 21,211
  • 8
  • 65
  • 72
Reddy
  • 66
  • 8