tags:

views:

56

answers:

4
Q: 

How to secure a WCF service to be consumed by a specific application only?

Hi folks,

I have a specific Silverlight application, that is fed with data by a WCF-Service. I want to make sure, that the WCF-Service is only called by that specific Silverlight App. What is the best way to accomplish that and what do I have to do? It doesn't have to be a high security solution.

Thanks in advance, Frank

+3  A: 

Enable basic authentication (username/password) on the service. Create a single user which the Silverlight app will use to authenticate itself with the service.

Easier, but less secure, might be to just use some sort of identifier (only known to the Silverlight client) as a service parameter.

Both options are obviously most secure when implemented with HTTPS. This can be accomplished by using a server certificate.

Eric Eijkelenboom  2010-04-15 12:19:47
The problem with the approach is that the key/password is not secure. Be it flash/silverlight or javascript, the key can easily be extracted from it.
sri  2010-04-15 13:32:11
Right, good point. In the case of javascript etc, there is no way to do this programatically in a 100% secure way. So, that might mean you're you're stuck with something like client certificates or IP based filtering in your web server/firewall, possibly combined with the solution mentioned above.
Eric Eijkelenboom  2010-04-15 17:48:08
100% security is an illusion anyway :)It is just "how much effort and skill does it take to get around the security restrictions". So it depends on the importance of the data. A username/password authentication will do it for me, thanks for all answers!
Aaginor  2010-04-21 14:33:43
+1  A: 

You CANNOT restrict access to such a service. Your app will need access to whatever key/password you chose. It is trivial to decompile your app and extract the key. SSL/TLS will not help - because the password can be extracted from the compiled code.

This question has been asked quite a few times recently -

  1. http://stackoverflow.com/questions/2616797/ensure-exclusive-access-to-webservice
  2. http://stackoverflow.com/questions/2578645/how-to-restrict-access-to-my-web-service
  3. http://stackoverflow.com/questions/2601805/how-can-i-create-and-use-a-web-service-in-public-but-still-restrict-its-use-to-on
sri  2010-04-15 13:27:39
+1  A: 

If your application is running anonymously then it's virtually impossible to be 100% secure.

How ever if your are requiring your users to authenticate then you should be able to make the service relatively secure by requiring their login credentials...

Scrappydog  2010-04-15 13:40:20
A: 

I don't know if it easy with WCF, but I guess you could do something using client certificates. I only used this approach for protecting websites and it was quite easy to do...

Carles  2010-04-15 14:07:46

related questions

Encryption in C# Web-Services
How Do You Secure database.yml?
ASP.NET LocationProvider
What do you (or your company) use for wiping a machine?
Can a proxy server cache SSL GETs? If not, would response body encryption suffice?
Java: What is the best way to SFTP a file from a server
How do I call a Flex SWF from a remote domain using Flash (AS3) ?
Best way to store a database password in a startup script / config file?
Using VM to get around VPN restrictions
Best references for secure coding practices in ASP.NET and classic ASP.
Secure Memory Allocator in C++
Resolving Session Fixation in JBoss
Best Practices for securing a REST API / web service
Defensive programming
Personal Linux web server
Block user access to internals of a site using HTTP_REFERER
Is there an Unobtrusive Captcha for web forms?
My website got hacked... What should I do?
What all do I need to escape when sending a (My)SQL query?
How do you disable browser Autocomplete on web form field / input tag?
Best .NET obfuscation tools/strategy
Are there best practices for testing security in an Agile development shop?
What is the best way to avoid SQL injection attacks?
Found a critical bug, but the company doesn't care
PHP Session Security