tags:

views:

412

answers:

2
+3  Q: 

Best way to use and secure WCF on the Compact Framework?

I am working on an app that has several clients - Desktop, Mobile Device, Web Portal. We're moving to an SOA kind of architecture and will be using WCF.

The WCF story is great when it comes to using netTcp+transport/message security+Windows authentication (or even UsernameToken and a custom UsernameValidator provider) on the Desktop and Web Portal side.

Where it totally breaks down is on the compact framework side...the subset of WCF it supports is so limiting. I was resigned to simply using basicHttp + Username/Password in the headers all over SSL, but it seems that you cannot add headers when on the compact framework stack (no OperationContextScope) - so that leaves me with including username/password as parameters for EVERY SINGLE operation method in the service.

Please tell me I am wrong and there is a better way.

+1  A: 

Your best bet is going to be to expose a WCF end-point that conforms to the WS-Security standards.

You should then be able to use those standards for message based security (most likely using X.509). Here's the MSDN link to get started:

Messaging in the .NET Compact Framework

Justin Niessner  2009-07-23 14:05:57
+1  A: 

An alternative solution is to pass a ticket (read: guid).

The client logs in (sends username and password). A randomly generated ticket is generated (guid again), cached on the server, and sent back to the client. This ticket is then passed back and forth instead of the username and password.

Of course, all of that is assuming you don't just want to utilize session state.

But in other words: I've had the same problem you've had. It sucks. This is how I got around it a bit so it was usable.

Anyway, another good reference is the WCF Guidance for Mobile.

Chris Brandsma  2009-07-24 05:22:10
I was thinking about falling back to something like that as well, maybe going with something that can be computed from the password (or the NT hash of the password) so that it can be stateless.All secure via SSL of course.
Bryan Batchelder  2009-07-24 14:20:22

related questions

Dynamic programming with WCF
WCF Service Returning "Method Not Allowed"
Exceptions in Web Services
What SPN do I need to set for a net.tcp service?
How do I unit test a WCF service?
Best practices for versioning your services with WCF?
Lazy Loading with a WCF Service Domain Model?
How many ServiceContracts can a WCF Service have?
How can I authenticate using client credentials in WCF just once?
WCF - Domain Objects and IExtensibleDataObject
InvalidOperationException while creating wcf web service instance
Closing and Disposing a WCF Service
What WCF best practices do you follow in object model design?
WCF push to client through firewall?
Loading System.ServiceModel configuration section using ConfigurationManager
I would like some tips for debugging WCF Web Service exceptions
What's the best way to authenticate over WCF?
Good Reads for Distributed Systems
.Net - Returning DataTables in WCF
What is the easiest way to add compression to WCF in Silverlight?
WCF Backward Compatibility Issue
Best Practices for securing a REST API / web service
Web Services -- WCF vs. Standard
C# WCF Service - Backward compatibility issue
WCF - High availability