Reputation: 9167
Securing a WCF Service - allowing certain Web Applications to access
There's been so many topics I've read on this, but I have to just be 100% sure I'm going in the right direction with my scenario.
The main thing I'm wanting to do is lock down a WCF service (.NET 4.5) to a single web application (potentially more in the future though).
So,
Web Application (logged in via .NET Membership) -> WCF Service -> Data layer -> Database
The WCF Service should not allow access via anywhere but the Web Application.
What's the best way of achieving this? I've read about Username/Password validation to the WCF Service, but obviously you don't store the Password in a Session object once the user has logged into the Web Application, so this doesn't make much sense to me. Is the only way using a Certificate and the WCF Service checking that the Web App has that Certificate when being called?
Any help in lamens terms is greatly appreciated, I feel like I'm stuck in a WCF Security nightmare.
Upvotes: 0
Views: 487
Answers (2)
Reputation: 66
You need to authenticate the web application by requesting credentials, so that your WCF service is secure.
Upvotes: 0
Reputation: 124696
You have to provide some sort of credential. A certificate is one possibility; another is to use Windows authentication in the back end WCF service, and only allow access to the service account of the Application Pool that hosts your Web Application.
Upvotes: 2
Related Questions
- ensure web service only accessed by authorized applications
- Limiting WCF service to a specific client app
- Securing WCF Service
- how to restrict a wcf service to one client application only
- How to secure WCF web services hosted from a Windows Service?
- "Guarding" WCF service from certain users - application identity
- Restricting access to internal WCF services
- Secure WCF Service so that only my "clients" can call it
- Ways to restrict WCF Service so only our apps can access it
- Secure WCF service