how to restrict a wcf service to one client application only

Question

We have a WCF Service, using WSHttpBinding and security mode set to Transport, as we are using SSL. We have also been asked to make sure the service can only be called by the 1 web application that uses it, is there any way to block other applications from talking to it?

The application and service are all running within a company intranet, but there would be other applications on that intranet as well, so they want us to block them out. we tried setting the transport's clientCredentialType ="Windows" but that keeps bringing up a prompt to login whenever accessing the site, the users do not want that, as they are already logging in once the site comes up.

Answer 1

start here to get an overview http://wcfsecurityguide.codeplex.com/ Some light reading...

the quick answer lies in how can you uniquely identify the Web application ? Does it have its own APP pool on an IIS server ? And therefore could have its own user. IS this user on The same Active directory. Then your can base the security on the Application user.

You could potentially use a firewall to make sure the traffic only comes that Web server. You could uses an X.509 cert issued to that server and change the Binding to required X.509.

Without knowing more about the environment its hard to know what to recommend. The guide is good. Start at solutions at a glance(page 13) to get a feel about your options and jump around from there. Unless you are patient enough to read the guide ;-)