tags:

views:

22

answers:

1
Q: 

Choosing a WCF Security Model for background client processes running at multiple domains that call a WCF WS?

Hi,

I am creating a WCF web service using wsHttpBinding and a corresponding application that calls this web service. The idea behind the application that calls the WS is that it will be installed and run from multiple client sites as a background process. The background processes will periodically send information from it's respective client back to the host by calling the WCF service. What kind of WCF security model should I implement to make sure that only service calls from the processes installed at the individual sites can call methods on the web service?

Note: The web service will be behind a firewall; however, this extra information may be irrelevent to the question at hand.

+1  A: 

Without firewall mentioned I would suggest two approaches:

  • Message security with UserName client credentials. This security mode uses X509 service certificate to secure message and UserName token to pass client's user name and password to the service.
  • Message security with Certificate client credentials. This security mode uses X509 service and client certificate. Client certificate is also used to authenticate client.

Advanced approaches can use supporting token like mutal certificates for securing messages and supporting user name token for authentication.

All these approaches can require installing certificates on client machines.

But in your case the firewall can change the solution. Is it possible to connect to your service from client using HTTP port 80? If not check that your IT opens incomming communication to your service. If not you will have to use Azure .NET Services (cloud) to relay communication between your service and clients. This can change security scenario.

Ladislav Mrnka  2010-08-20 22:18:21
If I will be able to connect using port 80 or some other specified port, will I be able to use the 2 suggestions above? Basically I was thinking that every client machine will look the same to the host. Will using a certificate alleviate the need for a sql role provider?
SideFX  2010-08-21 06:34:32
If the service is accessible than suggested approaches should work. Role provider is only needed if you have to differ client roles. If every client has the same roles you don't have to create authorization at all.
Ladislav Mrnka  2010-08-21 07:48:24
So if I did what you suggest, I shouldn't be able to call the web service from any other application that doesn't have the correct certificate? What about securing database access? This web service will be writing to a database. Also, would it be possible for a person on the same machine as the client application to find the certificate on the workstation and use that to make random web service calls? Sorry, I know that there are couple of different questions there.
SideFX  2010-08-23 05:23:02
Certificate is secured by store you choose. If you place certificate to user store only that user should be able to use it. Client certificate contains private key so it should always be stored in CurrentUser\My store. But yes anybody who has the certificate can use the service. There is some futher security level related to certificates because some certificates requires PIN to be used but I have never tryed it in WCF.
Ladislav Mrnka  2010-08-23 08:39:56

related questions

Dynamic programming with WCF
WCF Service Returning "Method Not Allowed"
Exceptions in Web Services
What SPN do I need to set for a net.tcp service?
How do I unit test a WCF service?
Best practices for versioning your services with WCF?
Lazy Loading with a WCF Service Domain Model?
How many ServiceContracts can a WCF Service have?
How can I authenticate using client credentials in WCF just once?
WCF - Domain Objects and IExtensibleDataObject
InvalidOperationException while creating wcf web service instance
Closing and Disposing a WCF Service
What WCF best practices do you follow in object model design?
WCF push to client through firewall?
Loading System.ServiceModel configuration section using ConfigurationManager
I would like some tips for debugging WCF Web Service exceptions
What's the best way to authenticate over WCF?
Good Reads for Distributed Systems
.Net - Returning DataTables in WCF
What is the easiest way to add compression to WCF in Silverlight?
WCF Backward Compatibility Issue
Best Practices for securing a REST API / web service
Web Services -- WCF vs. Standard
C# WCF Service - Backward compatibility issue
WCF - High availability