How are RESTful WCF services secured so that only the calling application can call them?

views:

252

answers:

+2 Q:

How are RESTful WCF services secured so that only the calling application can call them?

I have an application that uses Silverlight and ASP.NET as a front-end. It retrieves data from the server by calling some RESTful WCF services that are hosted there. I'd like to prevent the curious user from opening up a new browser window and calling the web service themselves. Is there a way to restrict access to the web services to a specific application?

Thanks!

+1 A:

No there's not.

blowdart 2009-12-15 21:17:10

Short and sweet. Thanks!

Kevin Babcock 2009-12-16 15:22:53

It would have been shorted, but there's a 15 character minimum *grin*

blowdart 2009-12-16 16:08:24

I disagree. There's a mechanism for this called authentication. How do you limit access to a web app to only some part of the earth's population? Reguire login. Same for services. The WCF RESTful services are a bit tricky, but there's a way.

Slavo 2010-03-09 10:03:01

If you're truly interested in securing your web services, you should think about migrating from RESTful services to SOAP Based Web Services and implementing the WS-Security standard for Message based Encryption.

You can then secure your services so only clients that have the proper security information (be in username/password ~~or X.509 certs~~) can call your web services.

Update

As you can see...I've removed X.509 as an option. I blanked for a moment and forgot the WS-Security limitations in Silverlight. The good news is that you can implement username tokens based on the WS-Security standard in Silverlight:

Implementing Username Password & WS-Security with Silverlight

Justin Niessner 2009-12-15 21:20:29

Silverlight doesn't support WS*

blowdart 2009-12-15 21:22:51

Saw ASP.NET...missed Silverlight. There are ways to implement basic username/password token security based on WS-* standards in Silverlight though: http://geekswithblogs.net/SunnyCoder/archive/2009/03/15/username-password-amp-ws-security-with-silverlight.aspx

Justin Niessner 2009-12-15 21:24:43

+1 A:

You can use HTTPS to secure the endpoint and require authentication. You can put an obnoxiously long secret key embedded in the code. Unfortunately, System.Security.Cryptography is not in the SL install, so no encrypt on server/decrypt on client capabilities. And there's no reason the user couldn't just use something like reflector to read the code anyway.

SL can be made "mostly securish", but definitely not secure.

Jarrett Meyer 2009-12-15 21:20:40

HTTPS won't do anything - the user could still browse. Usernames and passwords in Silverlight are generally done via Forms auth, with the authentication cookie which would still exist when the open another tab. And as you say a key is useless, because reflector will reveal it.

blowdart 2009-12-15 21:24:55

Yeah, at best it's only security through obfuscation. The HTTPS only serves to keep people who absolutely do not belong away from the endpoint.

Jarrett Meyer 2009-12-15 23:59:06

I appreciate the ideas folks!

Kevin Babcock 2009-12-16 15:26:25

Here's the guide of the Patterns & Practices team for WCF Security. There's a lot to be found there.

http://www.codeplex.com/WCFSecurityGuide

Slavo 2010-03-09 10:03:51

ansaurus

tags:

views:

answers:

How are RESTful WCF services secured so that only the calling application can call them?

related questions