tags:

views:

658

answers:

3
+2  Q: 

WCF Data Services Security Options

What options are there for securing WCF Data Services? The open, RESTful nature of the services are extremely beneficial but I need to lock these services down so that only my Silverlight and WPF apps can perform requests against these services. The app will be distributed publicly, but our data and data model are not free for public consumption.

+2  A: 

Transfer security - SSL, credentials - CardSpace, certificates... http://wcfsecurity.codeplex.com/Wikipage

nubm  2010-04-07 13:26:51
Do these pertain to WCF Data Services? Or just WCF Services?
Blake Blackwell  2010-04-09 13:44:55
Not sure what you exactly mean. WCF is a framework or interface if you want that is used generally by WCF Services, in our case Data Services (Data Services, Sharepoint Services, Azure etc.). Those are only frameworks. Same as Clients Data Service (Silverlight, AJAX etc.). So if you want ie. AJAX, or your app to consume your data securely, you have to secure the transfer of the data over HTTP (SSL) and so you have to secure credentials (ie. login + password)... Generally it doesn't matter what services are you using. There is always a distributed app and you should protect transfered data.
nubm  2010-04-09 15:13:23
+2  A: 

http://msdn.microsoft.com/en-us/library/ms735093.aspx

Simple transport level security, which could be SSL. Or Message Security which could involve sending credentials in the soap header (WS-* standards).

Matt Davis  2010-04-07 13:28:32
Do the same security mechanisms work with WCF Data Services? Also, with the transport level security if I add certificate level security that would mean that only applications that possess the security ticket can access my webservice? No one else would be able to access it?
Blake Blackwell  2010-04-07 13:48:05
+1  A: 

Besides all the things already mentioned, WCF Data Services also have a concept called Query Interceptors which allows you on a programmatic basis to decide whether or not a given caller should be able to see all, some or no data at all.

marc_s  2010-04-07 14:41:59
I'm accepting this answer, as it is the most relevant to the specific Use Case of WCF Data Services.
Blake Blackwell  2010-04-09 20:48:58

related questions

Extending WCF Data Service to synthesize missing data on request
How to disable authentication schemes for WCF Data Services
Limit Access Using WCF Data Services
ADO.NET (WCF) Data Services Query Interceptor Hangs IIS
WCF Data Services implementation strategies.
Change DataSource WCF Data Services
Running an existing LINQ query against a dynamic object (DataTable like)
Ria Services vs WCF Dataservices
Why is my ServiceOperation method missing from my WCF Data Services client proxy code?
Does WCF Data Services return invalid JSON?
DataServiceConfiguration is internal so I can't enable WCF data paging?
HttpListner: intercept requests to WCF DataService
Using REST WCF data service as a data source for SQL Reporting services
How to use "SelectMany" with DataServiceQuery<>
Query ADO (WCF) Data Service and return a Bool
RESTful search centering on specific record within a larger query set
Dynamic JOIN across WCF Data Services
What is the story with shared data synchronization using the MS AJAX 4.0 client library?
Authenticating WCF DataServices
Uploading and downloading files using wcf data services?
Are "WCF Data Services" going in the right direction?
How to pass a collection of Entities to .NET RIA Data Service?
Using custom Data Service Providers, do I have any control over URLs that are returned?
Many-to-many relationship in .NET RIA services
Where can I find information on creating a WCF Data Services Custom Data Service Provider?