I'm consuming WCF Services through jQuery AJAX call using GET method.
Since I'm unable to get the WCF Call through jQuery AJAX using POST method work, I'm using GET method. With GET method, the URLs of WCF methods are exposed through JavaScript. Therefore, there should be a way secure the communication between the front-end and back-end using encryption or any other methods.
Therefore, I build an authentication string. Authentication string can be defined as set of unique data that is encrypted at the front-end (JavaScript) and authenticated at back-end (WCF). The authentication string can include information such as Username, Password, WCF Service Name, WCF Method Name and Timestamp.
Example: Encrypt the combination of unique data: admin_admin_member_getmemberbyid_201305171604 which will be 816dd1f8cd17256fc343948df5ffdf3b (using MD5) and send in addition to the data sent to the back-end.
Using MD5 encryption, in front-end a combination of some information about the operation can be encrypted; and at the back-end the same combination of information has to be encrypted and validated against it. Since MD5 cannot be decrypted, you cannot encrypt the data. Anyone who knows the combination used to build the string to encrypt will be able to generate MD5 hash and use.
Unlike MD5, Shared Key Encryption can be used to encrypt the data, so that at the back-end the original data can be retrieved by decrypting using the pre-shared key. However, the pre-shared key can be seen in front-end source code. Therefore, the encryption becomes useless.
In public key encryption, the security is that two factors have to be guessed or hacked. One is the data or the parameter pattern and the other one is authentication string. However, still this can be read from JavaScript if you debug on browser.
NOTE: Using Timestamp in MD5 string or in pre-shared key might fail in practice due to any delays such as network delay.
Is there a way that I can secure WCF Services exposed through REST using GET?
