Securing MVC Rest + Soap Service with a single key strategy

Question

I have an asp.net MVC 2 site setup to provide an API json/xml responses

eg

[GET] /Product/10

Returns an xml response of a product

Additionally, I have a WCF SOAP service embedded into the site which returns the same methods (same contract) but via SOAP

eg

GetProduct(10)

Returns an xml soap product.

I chose this route because I like the pure MVC approach + routing engine. My client would like to secure each request by using a key based/token authentication system.

They simply want to include a key in each request...

My question is..what is the best (and most accessible approach) to this? I was thinking of using a custom HTTP header however ... would some clients may have issues setting this value? Is this easy to do with a Soap client generated from a WSDL?

I would rather not pollute my business objects with key properties.

Answer 1

The answer depends on what kind of clients you want to support. You have a lot of choices:

• Use wsHttpBinding for modern clients which support WS-Security
• Use basicHttpBinding for clients which do not - you can run this over SSL if you like, and can use your choice of HTTP authentication techniques
• Use basicHttpBinding with your custom headers if you like. Be aware that some clients do not support headers, or have to go to extra effort in order to use them. I, personally, don't mind making such clients squirm, but you might.

No matter which you choose, WCF will allow you to implement them all at the same time. You can have a single service serve the same contract on multiple endpoints. For instance, you could keep basicHttpBinding on https://services.company.com/myservice/basic, and at the same time support WS-Security on http://services.company.com/myservice/secure.