Pattern for verifying authenticity of a request to WCF service | ansaurus

tags:

views:

26

answers:

1

+1 Q:

Pattern for verifying authenticity of a request to WCF service

I have a client app that makes calls to a WCF service. This app is on a public computer that's easily accessible and anyone can easily copy the .EXE and .CONFIG of my app into another machine and start using it.

Is there a pattern where I can check if the request is coming only from an app on a computer I installed it on and not on one it has been copied to?

Thanks in advance.

EDIT: I have thought of using the MAC address of the computer but not sure how reliable/easily hacked that would be. This is a financial product so the authentication needs to be very very tight.

+2 A:

You could e.g. define a list of valid IP addresses where you installed your stuff on, and then apply a IP filter to only allow calls from those authorized IP's.

See:

marc_s 2010-05-31 04:44:41

For my case the IPs won't be fixed as the computers they are installed on will be offices using broadband. Any other suggestions?

fung 2010-05-31 06:46:09

@Fung: not really - besides the IP, there's really not much you can check for. The other option would be to have a digital certificate installed on those PC's that should be authorized, and check for that certificate when making the call.

marc_s 2010-05-31 09:37:36

+1, the machine certificate is the best option. @fung can generate these, and they can be made part of any install process, so if someone just grabs the binaries they won't have the cert. Best of all you can use the cert to encrypt the WCF messages.

slugster 2010-05-31 22:37:29

Machine certs sound like a good way to go. I'll check them out. Thanks.

fung 2010-06-01 01:48:44

related questions

How do I write Firefox add-on that automatically enters proxy passwords?

Login Integration in PHP

Strange Rails Authentication Issue

Concurrent logins in a web farm

Is there a browser equivalent to IE's ClearAuthenticationCache?

How can I authenticate using client credentials in WCF just once?

Why can't I connect to my CAS server with Perl's AuthCAS?

Best Solution For Authentication in Ruby on Rails

Authenticate on an ASP.Net Forms Authorization website from a console app

How do I use NTLM authentication with Active Directory

What have you used Windows CardSpace for, if anything

Forms Authentication across Applications

Retreiving the PC Name of a Client? (Windows Auth)

How would you implement FORM based authentication without a backing database?

What's the best way to authenticate over WCF?

Only accepting certain ajax requests from authenticated users

OpenID authentication in Ruby on Rails

OpenID Attribute Exchange - should I use it?

OpenID: which provider should I recommend to my users?

What to use for login ID?

ASP.NET authentication: user name Vs User ID

How do I add SSL to a .net application that uses httplistener - it will *not* be running on IIS

How can I get the authenticated user name under Apache using plain HTTP authentication and PHP?

Checklist for IIS 6/ASP.NET Windows Authentication?

The Definitive Guide To Website Authentication