0

I am creating a WCF web service using wsHttpBinding and a corresponding application that calls this web service. The idea behind the application that calls the WS is that it will be installed and run from multiple client sites as a background process. The background processes will periodically send information from it's respective client back to the host by calling the WCF service. What kind of WCF security model should I implement to make sure that only service calls from the processes installed at the individual sites can call methods on the web service?

Note: The web service will be behind a firewall; however, this extra information may be irrelevent to the question at hand.

SideFX
  • 839
  • 1
  • 12
  • 34
  • IMHO, extra information is never irrelevant. It can be irritating and make me irascible, but I'll try not to be irrational with it. – David Hoerster Aug 20 '10 at 20:50
  • Are the other sites behind the same firewall (e.g. customer sites)? – David Hoerster Aug 20 '10 at 20:52
  • This will be integrated as part of a product that multiple clients are using and will be launched in the background with the client starts up the main application. The host service that the clients will be calling will be behind a firewall. – SideFX Aug 20 '10 at 21:15
  • I thinking that if there was anything similar to an app role, where only a specific application is authorized to use the webservice. – SideFX Aug 20 '10 at 21:17

1 Answers1

1

Without firewall mentioned I would suggest two approaches:

  • Message security with UserName client credentials. This security mode uses X509 service certificate to secure message and UserName token to pass client's user name and password to the service.
  • Message security with Certificate client credentials. This security mode uses X509 service and client certificate. Client certificate is also used to authenticate client.

Advanced approaches can use supporting token like mutal certificates for securing messages and supporting user name token for authentication.

All these approaches can require installing certificates on client machines.

But in your case the firewall can change the solution. Is it possible to connect to your service from client using HTTP port 80? If not check that your IT opens incomming communication to your service. If not you will have to use Azure .NET Services (cloud) to relay communication between your service and clients. This can change security scenario.

Ladislav Mrnka
  • 360,892
  • 59
  • 660
  • 670
  • If I will be able to connect using port 80 or some other specified port, will I be able to use the 2 suggestions above? Basically I was thinking that every client machine will look the same to the host. Will using a certificate alleviate the need for a sql role provider? – SideFX Aug 21 '10 at 06:34
  • 1
    If the service is accessible than suggested approaches should work. Role provider is only needed if you have to differ client roles. If every client has the same roles you don't have to create authorization at all. – Ladislav Mrnka Aug 21 '10 at 07:48
  • So if I did what you suggest, I shouldn't be able to call the web service from any other application that doesn't have the correct certificate? What about securing database access? This web service will be writing to a database. Also, would it be possible for a person on the same machine as the client application to find the certificate on the workstation and use that to make random web service calls? Sorry, I know that there are couple of different questions there. – SideFX Aug 23 '10 at 05:23
  • 1
    Certificate is secured by store you choose. If you place certificate to user store only that user should be able to use it. Client certificate contains private key so it should always be stored in CurrentUser\My store. But yes anybody who has the certificate can use the service. There is some futher security level related to certificates because some certificates requires PIN to be used but I have never tryed it in WCF. – Ladislav Mrnka Aug 23 '10 at 08:39