tags:

views:

20

answers:

3
+2  Q: 

Preventing Cross-Domain access to services with WCF

Hello,

I have several WCF services in an ASP.NET application. I want to prevent applications from outside of my domain from accessing these services. Is there a configuration setting that allows me to block requests from outside of my domain?

Thank you!

A: 

EDIT: This will prevent all non-authenticated users from getting to your services. If you need users in your domain who aren't authenticated to access the services, let me know and I'll update accordingly.

Are you using authentication in your ASP.NET application?

<system.web>
  ...
  <authentication mode="Forms">
    <forms protection="All" defaultUrl="login.aspx" ... />
  </authentication>
  ...
</system.web>

If so, your .svc files will be inaccessible until your users authenticate. If a non-authenticated user tries to access a .svc file, they will be redirected to your login page.

EDIT(2): Since you need non-authenticated access to the services within your site, one thing you can consider is having a cookie that's sent to the user's machine upon the first visit to the site. The cookie could use a create date and some secret key to create a hash, and you can validate the hash on the server for each request. Requests from other sites wouldn't pass the cookie and your service would manually check to see if that cookie is there or not -- if it's not there, then the request is denied.

If your WCF services has ASP.NET compatibility enabled (true) and AspNetCompatibilityRequirementsMode set to Allowed or Required, you should have access to HttpContext and cookies. Here's more information about ASP.NET compatibility mode.

This may not be the most appropriate solution as I don't know your scenario and requirements. But hopefully this helps.

David Hoerster  2010-08-19 18:55:43
Hi D. Hoerster. I do in fact need non-authenticated users in the domain to access the services. Can you please provide some insight regarding that? The page that accesses the services is in the same domain as the services. Its just that a user accessing the page will most likely not be authenticated.
 2010-08-19 19:07:20
Just to make sure I understand, you want to enable `http://mysite.com/dashboard.aspx` to access `http://mysite.com/myservice.svc` (even for non-authenticated users), but you don't want `http://someothersite.com/default.aspx` from accessing `http://mysite.com/myservice.svc`. Is that correct?
David Hoerster  2010-08-19 19:44:07
+1  A: 

If you don't want expose services to Internet you should not host them on public server. If you really need this you should first start to look for way to secure your services on network level. For example I guess ISA server should be able to block requests to your services.

Ladislav Mrnka  2010-08-19 19:30:43
+2  A: 

What you want is authentication. Limiting access based on domain is not a secure manner of authentication.

John Saunders  2010-08-19 19:33:08
+1 The most straightforward way.
Ladislav Mrnka  2010-08-19 21:03:55

related questions

Dynamic programming with WCF
WCF Service Returning "Method Not Allowed"
Exceptions in Web Services
What SPN do I need to set for a net.tcp service?
How do I unit test a WCF service?
Best practices for versioning your services with WCF?
Lazy Loading with a WCF Service Domain Model?
How many ServiceContracts can a WCF Service have?
How can I authenticate using client credentials in WCF just once?
WCF - Domain Objects and IExtensibleDataObject
InvalidOperationException while creating wcf web service instance
Closing and Disposing a WCF Service
What WCF best practices do you follow in object model design?
WCF push to client through firewall?
Loading System.ServiceModel configuration section using ConfigurationManager
I would like some tips for debugging WCF Web Service exceptions
What's the best way to authenticate over WCF?
Good Reads for Distributed Systems
.Net - Returning DataTables in WCF
What is the easiest way to add compression to WCF in Silverlight?
WCF Backward Compatibility Issue
Best Practices for securing a REST API / web service
Web Services -- WCF vs. Standard
C# WCF Service - Backward compatibility issue
WCF - High availability