tags:

views:

27

answers:

2
Q: 

WCF WebService Security: How do I use security on a WebService?

I created a simple .NET WebService (it just passes back a string). How do I modify the server side (and possibly the client side) so that it also uses a username/password to validate before sending a response?

Client Code:

static void Main(string[] args)
{
    UpdateClient client = new UpdateClient("UpdateSOAPIIS");

    client.ClientCredentials.UserName.UserName = "Michael";
    client.ClientCredentials.UserName.Password = "testpassword";

    String response = client.GetString("New York, NY");

    Console.WriteLine(response);

    if (client != null) client.Close();
}

Server Code:

public virtual GetStringResponse GetString(GetStringRequest request)
{
    return new GetStringResponse("Search Location: " + request.location);
}
+1  A: 

It really depends on what kind of security you want. Should the protocol be encrypted, should the data be encrypted, or do you just want to authenticate a user. In the last case you can just go ahead and use whatever technology you want to verify that the user has permissions to use the API. For other options and some code, check out this MSDN article http://msdn.microsoft.com/en-us/library/ms731925.aspx

tathagata  2010-06-29 15:22:48
If I choose just to authenticate the user (for now) is it easy to adjust that later on to have the protocol and data encrypted?For now I'd just like to have my service up and running with a user/pass to access it (and I wanna avoid sending that plaintext over the message)... but later I might want to encrypt the data being sent. I'm not sure what encrypting the actual protocol would offer since the message is encrypted?
myermian  2010-06-29 15:32:44
+2  A: 

I recommend reading Juval Lowy's excellent article Declarative WCF Security. He describes five common scenarios (intranet, internet, b2b, anonymous, no security at all) and shows what that means, how to accomplish that etc.

He even goes as far as creating declarative attributes that you can basically just put on your service declaration and be done with it.

Those security scenario should really cover at least 80%, if not 95% of your typical cases. Study them and use them! Highly recommended

marc_s  2010-06-29 16:16:32

related questions

Displaying Flash content in a C# WinForms application
How to get the value of built, encoded ViewState?
Unhandled Exception Handler in .NET 1.1
How do I connect to a database and loop over a recordset in C#?
How do I most elegantly express left join with aggregate SQL as LINQ query
Get a new object instance from a Type in C#
.NET Testing Framework Advice
Automatically update version number
What is the difference between an int and an Integer in Java/C#?
How to write to Web.Config in Medium Trust ?
WinForms ComboBox data binding gotcha
How do you sort a C# dictionary by value?
Adding Scripting functionality to .NET applications
Floating Point Number parsing: Is there a Catch All algorithm?
How do I print an HTML document from a web service?
Decoding T-SQL CAST in C#/VB.net
Anatomy of a "Memory Leak"
How do I get a distinct, ordered list of names from a DataTable using Linq
Reliable Timer in a Console Application
How do I fill a DataSet or a DataTable from a LINQ query resultset ?
What's the difference between Math.Floor() and Math.Truncate() in .NET?
How do I calculate relative time?
How do I calculate someone's age in C#?
Are there any conversion tools for porting Visual J# code to C#?
When setting a form's opacity should I use a decimal or double?