Reputation: 5227
Restricting access to internal WCF services
We have a couple of WCF services hosted in an asp.net application on IIS. We are getting more and more services used for internal communication(between our own systems, where the client can be located on the same server or on other servers). Now we need to secure these services by some means.
In short: The purpose is to stop other people from calling our services. Only applications under our control should be able to communicate with these services
Our current thought: We already have SSL enabled and we have a public cert for the server. Our current plan is to enable to security by using: clientCredentialType="UserName" where we have a custom validator that simply checks against a username/password we have defined(much like an API key).
Question #1: Is there any better way? The scenario sound simple and I feel we are missing some obvious solution.
Question #2: If we do it this way will the SSL cert we already have be enough or must we create any other certs?
Some context: .net 4, IIS 7, We have access to the server. The clients/services might be located on different servers.
Update 1: The client might be located on a completly different network. We have some other systems hosted elsewhere that also need to be able to call these services.
Upvotes: 3
Views: 1884
Answers (1)
Reputation: 364269
As I understand your scenario you have all your servers / services in your network / windows domain, don't you? In such case I would not use UserName authentication. Stick with windows security and HTTPS.
To restrict access to your service you have several options all based on Windows accounts used to run you allowed clients for your internal services. Assign these client accounts to domain group and after that you can:
- User standard .NET Role based security
PrincipalPermissionorPrincipalPermissionAttribute. This has disadvantage that you must hardcode authorization to your services. Only users from defined windows group will be able to access the service - The former approach can be hopefully (untested with WCF but works greatly with ASP.NET) with ASP.NET role provider. In such case you can use custom non windows role in permissions and use
AutorizationStoreRoleProvider(AzMan) to map domain users or domain groups to your custom role. Again it demands hardcoding at least permissions for custom roles.
How to use Authorization manager with ASP.NET 2.0
How to use ASP.NET Role provider in WCF - Create custom
ServiceAuthorizationManagerwhere you will use claims for windows role to authorize the user. The advantage of this approach is that you can add authorization manager through configuration so you don't have to touch any code of your services.
How to create custom AuthorizationManager for WCF service
Upvotes: 3
Related Questions
- Limiting WCF service to a specific client app
- Securing WCF Service
- How to restrict users that consume WCF services
- Securing a WCF Service - allowing certain Web Applications to access
- Looking to add basic security to a WCF service
- Allow only local network access to WCF services
- Limit access to endpoint of WCF service hosted in IIS
- WCF Internal Only Endpoint
- Need help in protecting WCF service
- Ways to restrict WCF Service so only our apps can access it