2

I have an application that uses Silverlight and ASP.NET as a front-end. It retrieves data from the server by calling some RESTful WCF services that are hosted there. I'd like to prevent the curious user from opening up a new browser window and calling the web service themselves. Is there a way to restrict access to the web services to a specific application?

Thanks!

Kevin Babcock
  • 10,187
  • 19
  • 69
  • 89
  • 1
    maybe with .NET 4 and the netTcpBinding for Silverlight, you'll have more options. – marc_s Dec 15 '09 at 21:48
  • @marc_s - netTcpBinding might help, but he could at least implement basic UserName token security via WS-Standards (it's not native in Silverlight...but there is a possible implementation). – Justin Niessner Dec 15 '09 at 21:56

4 Answers4

2

You can use HTTPS to secure the endpoint and require authentication. You can put an obnoxiously long secret key embedded in the code. Unfortunately, System.Security.Cryptography is not in the SL install, so no encrypt on server/decrypt on client capabilities. And there's no reason the user couldn't just use something like reflector to read the code anyway.

SL can be made "mostly securish", but definitely not secure.

Jarrett Meyer
  • 19,333
  • 6
  • 58
  • 52
  • 1
    HTTPS won't do anything - the user could still browse. Usernames and passwords in Silverlight are generally done via Forms auth, with the authentication cookie which would still exist when the open another tab. And as you say a key is useless, because reflector will reveal it. – blowdart Dec 15 '09 at 21:24
  • Yeah, at best it's only security through obfuscation. The HTTPS only serves to keep people who absolutely do not belong away from the endpoint. – Jarrett Meyer Dec 15 '09 at 23:59
  • I appreciate the ideas folks! – Kevin Babcock Dec 16 '09 at 15:26
0

If you're truly interested in securing your web services, you should think about migrating from RESTful services to SOAP Based Web Services and implementing the WS-Security standard for Message based Encryption.

You can then secure your services so only clients that have the proper security information (be in username/password or X.509 certs) can call your web services.

Update

As you can see...I've removed X.509 as an option. I blanked for a moment and forgot the WS-Security limitations in Silverlight. The good news is that you can implement username tokens based on the WS-Security standard in Silverlight:

Implementing Username Password & WS-Security with Silverlight

Glorfindel
  • 21,988
  • 13
  • 81
  • 109
Justin Niessner
  • 242,243
  • 40
  • 408
  • 536
  • Silverlight doesn't support WS* – blowdart Dec 15 '09 at 21:22
  • Saw ASP.NET...missed Silverlight. There are ways to implement basic username/password token security based on WS-* standards in Silverlight though: http://geekswithblogs.net/SunnyCoder/archive/2009/03/15/username-password-amp-ws-security-with-silverlight.aspx – Justin Niessner Dec 15 '09 at 21:24
0

Here's the guide of the Patterns & Practices team for WCF Security. There's a lot to be found there.

http://www.codeplex.com/WCFSecurityGuide

Slavo
  • 15,255
  • 11
  • 47
  • 60
-1

No there's not.

blowdart
  • 55,577
  • 12
  • 114
  • 149
  • 1
    It would have been shorted, but there's a 15 character minimum *grin* – blowdart Dec 16 '09 at 16:08
  • 3
    I disagree. There's a mechanism for this called authentication. How do you limit access to a web app to only some part of the earth's population? Reguire login. Same for services. The WCF RESTful services are a bit tricky, but there's a way. – Slavo Mar 09 '10 at 10:03
  • I know this is an old question, but it gets flagged periodically for obvious reasons. Short pithy one liners are not particularly helpful, would be good if you can expand your answer. If it is flagged again it might just get deleted. Thanks. – Kev May 23 '12 at 08:37