0

I have a silverlight web application and I am loading data to the client side using a wcf service. Should I secure the WCF service? Can anyone who's on the network call methods of the service?

Uğur Gümüşhan
  • 2,455
  • 4
  • 34
  • 62

2 Answers2

1

Yeah they can see and access the service if they know the url.

And if they can see it, they only need to do a "Add Service reference" and they can see all methods available.

And since silverlight uses the basichttpbinding, it can work through firewalls (they typically allow http traffic).

You should secure it if it contains sensitive info.

scartag
  • 17,548
  • 3
  • 48
  • 52
1

By default you'll have security through obscurity, so if you're not broadcasting your WCF service's presence, it's not likely to be found or called. Additionally, it would be very hard to use it without having an appropriate client proxy configured. If you do not have the MEX endpoint set up, you are again pretty safe.

All that said though, you haven't really authorized the calls. It's theoretically possible to locate your WCF service and create a proxy to call it. So if you want to be safe, which I recommend, look into WCF authorization. It's fairly easy to set up, and you can use various options such as username-password, Windows accounts, or X.509 certificates. Each has its pros and cons.

This article goes into great detail, and there are others. http://msdn.microsoft.com/en-us/magazine/cc948343.aspx

Todd Sprang
  • 2,899
  • 2
  • 23
  • 40
  • 1
    I don't see the obscurity at all ... we aren't talking about normal users here ... any average joe can fire up fiddler and see what their browser is sending/receiving ... it won't be hard to discover the service. – scartag Mar 08 '13 at 14:50