First of all, sorry for the dummy question. Couldn't find any straight answer on the internet.
I'm new to WCF (and using services in general) and would like to get some information about my security concerns.
Suppose I have an open source web application written under .Net which has a WCF Service to change the site users' profile data in an ajaxified approach. (e.g. When a user changes his location, a call from the client side will be made to one of my service's methods which has the responsibility to update the user data in the database.)
Now, what I don't understand is that since my web app is open source, everyone can see the methods exposed by the service. Is it possible for anyone to call those methods within their applications or somehow tamper the data with their custom values? If so, what security measures should I take so that ONLY my application can call my service's methods?
views:
17answers:
2Using digital certificates, you can secure your WCF web service so that only you can use it. Digital certificates are used to identify, authenticate and authorize users.
See this article for more on using digital certificates: http://msdn.microsoft.com/en-us/library/ms731899.aspx
The fact that your app is open source should not make it inherently less secure. Open or closed, you still have to make sure that only authenticated users access private data. Even if you could make the application your web service's sole user, there is nothing to stop an unauthorized user from accessing your application on a careless user's desktop. The best you can do is to ensure that the data your web service exposes is only accessed in accordance with your security policy. You cannot stop your users from taping their password and userid to their keyboard, say.
There are a whole bunch of WCF security scenarios here that should clarify how to resolve your particular issue - the best solution depends on your app's environment.