tags:

views:

57

answers:

2
+1  Q: 

How do I securely authenticate the calling assembly of a WCF service method?

The current situation is as follows: We have an production .net 3.5 WCF service, used by several applications throughout the organization, over wsHttpBinding or netTcpBinding. User authentication is being done on the Transport level, using Windows integrated security. This service has a method Foo(string parameter), which can only be called by members of given AD groups. The string parameter is obligatory.

A new client application has come into play (.net 3.5, C# console app), which eliminates the necessity of the string parameter. However, only calls from this particular application should be allowed to omit the string parameter. The identity of the caller of the client application should still be known by the server because the AD group limitation still applies (ruling out impersonation on the client side).

I found a way to pass on the "evidence" of the calling (strong-named) assembly in the message headers, but this method is clearly not secure because the "evidence" can easily be spoofed. Also, CAS (code access security) seems like a possible solution, but I can't seem to figure out how to make use of CAS in this particular scenario.

Does anyone have a suggestion on how to solve this issue?

Edit: I found another thread on this subject; apparently the conclusion there is that it is simply impossible to implement in a secure fashion.

A: 

sounds to me like you need to pull the security out into a seperate service ... go down a more federated route this way you can implement a handshake form of encryption using public and private keys to generate a secure session token in both situations.

this way you cna still get both windows a=uthentication and a custom solution in play whilst retaining your attributes on methods for security (I am assuming that you are implementing it this way.)

sounds like a fair bit of work though - I had to do this from scratch and ran into some cross domain / delegation issues. But I am sure the idea is good.

howver you will end up with a nice solid claims based secuirty model

John Nicholas  2010-06-14 12:18:13
I must say that the idea of a custom handshake protocol crossed my mind (not in great detail, but it did :-) ), but I discarded it because I thought it would entail too much work and more issues down the line... as confirmed by your answer.Nevertheless, if this is the only way; I guess I'll just have to go for it. Do you know any pages describing this kind of claims based security model, within the context of WCF services? I'm still not clear on how I can make sure the session securely authenticates my client application.
Tim  2010-06-15 14:08:37
After sleeping on this idea, I can't help thinking that the separate service will face the same problem as my initial one: this service, too, will need to securely authenticate the calling assembly to provide a secure session key. Is this assumption correct or am I missing something?
Tim  2010-06-17 08:49:12
I went on holiday. Well my assumption is that you have no trust in the assembly via its data. With asynchronous encryption you can rotate keys making the weakness in the key. By rotating the key on the server side you can make it so that even though the client is not 100% secure the attacker does not have enough time to capitalise on it. So the only way you can have some confidence is if you employ some kind of trusted handshaking. It's not perfect by a long way as the weakness would be in the key used by the client and initial communication. But the lack of confidence is by your definition.
John Nicholas  2010-07-01 12:06:08
If you were able to re-release the assembly regularly then you create an uphill battle for the devious mind as you can update all the security - changing the aslgorithm, change the way the key is generated from the source data etc - generally make his life interesting.
John Nicholas  2010-07-01 12:08:29
A: 

You could get the callers Address:

 RemoteEndpointMessageProperty clientAddress = 
    OperationContext.Current.IncomingMessageProperties[RemoteEndpointMessageProperty.Name] 
as RemoteEndpointMessageProperty;
           string address = clientAddress.Address;
CkH  2010-06-14 18:33:48
Interesting fact, but the client application will need to be run from a large number of machines. The client address will certainly be useful for mentioning in the audits.
Tim  2010-06-15 13:56:49

related questions

Displaying Flash content in a C# WinForms application
How to get the value of built, encoded ViewState?
Unhandled Exception Handler in .NET 1.1
How do I connect to a database and loop over a recordset in C#?
How do I most elegantly express left join with aggregate SQL as LINQ query
Get a new object instance from a Type in C#
.NET Testing Framework Advice
Automatically update version number
What is the difference between an int and an Integer in Java/C#?
How to write to Web.Config in Medium Trust ?
WinForms ComboBox data binding gotcha
How do you sort a C# dictionary by value?
Adding Scripting functionality to .NET applications
Floating Point Number parsing: Is there a Catch All algorithm?
How do I print an HTML document from a web service?
Decoding T-SQL CAST in C#/VB.net
Anatomy of a "Memory Leak"
How do I get a distinct, ordered list of names from a DataTable using Linq
Reliable Timer in a Console Application
How do I fill a DataSet or a DataTable from a LINQ query resultset ?
What's the difference between Math.Floor() and Math.Truncate() in .NET?
How do I calculate relative time?
How do I calculate someone's age in C#?
Are there any conversion tools for porting Visual J# code to C#?
When setting a form's opacity should I use a decimal or double?