views:

130

answers:

2
+1  Q: 

Secure WCF service

I am very new to using WCF services. Right now I have a WCF service that I call using jQuery. I'm concerned about users making unauthorized calls to the service. What would be the best way to secure my service?

A: 

you can use a certificate to sign the WCF messages (it's all in the WCF Settings) on both sides (client and server)

Here is some detailed explanation:

Message Security

Dani
A: 

If this is a browser app and you're worried about security, presumably you already have some sort of authentication mechanism (cookies, sessions, something). All these are accessible from WCF services (I'm assuming you're using webHttpBinding or basicHttpBinding?) via the WebOperationContext.Current.IncomingRequest property. You can check/validate a cookie (or whatever else) from your service code, or write a cross-cutting MessageInspector to apply the check to all methods on your service behavior. WCF services also can be integrated with traditional ASP.NET authentication (forms, etc) if you host the service with the compatibility flag. The browser app logs in normally, and your service can consume the credential/token/whatever.

nitzmahone
I could send the ASP.NET_SESSID value with my jQuery requests, but once on the other side, how could you validate a session with the cookie value? Right now I'm using JSON for my responses and requests.
Matt
If you're hosting your WCF service with IIS in a .svc, the browser's already sending the ASP.NET session cookie anyway (assuming you have one). Just turn on ASP.NET compatibility mode, and look at HttpContent.Current.Request.User (or whatever else you want) in your service code.
nitzmahone
Sorry, that's HttpContext.
nitzmahone
I tried out what you suggested but I get a null reference for HttpContext.CurrentAny enlightenment you could shed on the problem? I do have the AspNetCompatibilityRequirements attribute class set to Allowed for my ServiceContract.
Matt
You still have to turn compatibility mode on in your service config- the attribute just allows your service to access it if it's on. Add <serviceHostingEnvironment aspNetCompatibilityEnabled=”true” /> to your config file under system.serviceModel.
nitzmahone
Awesome, now I have access to everything I need. Thank you!
Matt