locked
Guidance for secure wcf service design for B2B scenario RRS feed

  • Question

  • User88744855 posted

    in B2B scenario i want only my own client will be able to access my wcf service. my wcf service will be publish in internet but some how other know my service url or mex url then they will not be able to create proxy of my service. i will only provide my service proxy or contract assembly to my customer manually and then only my customer can consume it. so guide me how could i develop this kind of secure service where other people will not be able to interact with my service. thanks

    Tuesday, April 15, 2014 3:03 PM

Answers

  • User-417640953 posted

    Hi mou_inn,

    According to your description, I see you donot want someone who isn't your client can access your wcf metadata.

    For this issue, I suggest you set the metadata accessable as false, in other word, donot publish your metadata to internet.

     <serviceBehaviors>
            <behavior name="Behavior1">
              <serviceMetadata httpGetEnabled="false" httpsGetEnabled="false"  />

    Then all outer users cannot access service metadata, so you should send your contract assembly to your client for them creating service by proxy.

    On the client side, you can use the ChannelFactory<Channel> to create service proxy like below.

          ChannelFactory<ISampleServiceChannel> factory 
            = new ChannelFactory<ISampleServiceChannel>("WSHttpBinding_ISampleService");
    
          // Add the client side behavior programmatically to all created channels.
          factory.Endpoint.Behaviors.Add(new EndpointBehaviorMessageInspector());
    
          ISampleServiceChannel wcfClientChannel = factory.CreateChannel();
    

    For more information about client using ChannelFactory, please refer to below.

    http://www.codeproject.com/Tips/558163/Difference-between-Proxy-and-Channel-Factory-in-WC

    Hope that helps, thanks.

    Best Regards!

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Thursday, April 17, 2014 9:59 PM
  • User-488622176 posted

    There are two options:

    • The approach of Fuxiang. Here you "hide" the service from being discovered by someone. You can communicate the service URI to your clients. When they know the URI they can connect.
      This approach is simple, but... If the URI leaks everybody can call the service, and you'll never know who calls the service client or not). Hiding things does not make them secure.
    • Using WCF security. You can requirem authentication for your service methods. You can choose to distribute credentials per client, or one set for all. This will prevent people from calling the service, unless they know the credentials. This does offer security. If you use 1 set of credentials per client, you can always know who distributed the credentials, and lock out clients that are no longer clients.

    If the concept "only clients" is necessary, hiding your service is not enough. Ask MSFT : how many times the iso download links to their MSDN software downloads have leaked... ;-)

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Friday, April 18, 2014 6:40 AM

All replies

  • User-488622176 posted

    It is practically impossible to make a WCF service visible only for one user/client. However, it is possible to control who as access and who has not. The mechanisme is called "authentication". For your case I'd recommend certificate based authentication. This allows you control exactly what client can access your service, even from what device. This this site for more info : http://msdn.microsoft.com/en-us/library/ff648360.aspx

    Wednesday, April 16, 2014 10:22 AM
  • User88744855 posted

    i did not mean that wcf service visible for one client rather i do not want to visible my service for any client. i will provide my contract to client just to create proxy and consume my service. so guide me how to proceed. thanks

    Thursday, April 17, 2014 3:49 AM
  • User-417640953 posted

    Hi mou_inn,

    According to your description, I see you donot want someone who isn't your client can access your wcf metadata.

    For this issue, I suggest you set the metadata accessable as false, in other word, donot publish your metadata to internet.

     <serviceBehaviors>
            <behavior name="Behavior1">
              <serviceMetadata httpGetEnabled="false" httpsGetEnabled="false"  />

    Then all outer users cannot access service metadata, so you should send your contract assembly to your client for them creating service by proxy.

    On the client side, you can use the ChannelFactory<Channel> to create service proxy like below.

          ChannelFactory<ISampleServiceChannel> factory 
            = new ChannelFactory<ISampleServiceChannel>("WSHttpBinding_ISampleService");
    
          // Add the client side behavior programmatically to all created channels.
          factory.Endpoint.Behaviors.Add(new EndpointBehaviorMessageInspector());
    
          ISampleServiceChannel wcfClientChannel = factory.CreateChannel();
    

    For more information about client using ChannelFactory, please refer to below.

    http://www.codeproject.com/Tips/558163/Difference-between-Proxy-and-Channel-Factory-in-WC

    Hope that helps, thanks.

    Best Regards!

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Thursday, April 17, 2014 9:59 PM
  • User-488622176 posted

    There are two options:

    • The approach of Fuxiang. Here you "hide" the service from being discovered by someone. You can communicate the service URI to your clients. When they know the URI they can connect.
      This approach is simple, but... If the URI leaks everybody can call the service, and you'll never know who calls the service client or not). Hiding things does not make them secure.
    • Using WCF security. You can requirem authentication for your service methods. You can choose to distribute credentials per client, or one set for all. This will prevent people from calling the service, unless they know the credentials. This does offer security. If you use 1 set of credentials per client, you can always know who distributed the credentials, and lock out clients that are no longer clients.

    If the concept "only clients" is necessary, hiding your service is not enough. Ask MSFT : how many times the iso download links to their MSDN software downloads have leaked... ;-)

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Friday, April 18, 2014 6:40 AM
  • User88744855 posted

    if i just write 

    httpGetEnabled="false" 

    that means meta data will be disable ?

    i like to know that if i have mex endpoint but httpGetEnabled="false" then what does it mean? no body will able to see my meta data.......if yes then what is the importance of mex endpoint?

    Sunday, April 20, 2014 1:23 PM