none
Secure WCF RRS feed

  • Question

  • Hi,

    I'm having a WCF hosted in IIS. Here my web service can be access by public http://XXX.com/WCFService/Service.svc

    How can I restrict the service to be access by public. My web service is used by mobile apps. Mobile apps requesting/responding to this service.

    Kindly advice. Thanks

     

    Wednesday, December 11, 2013 3:14 AM

Answers

  • Hi,

    In my mind, by far the simplest way is to have your web service require some type of access key in order to run the operation.

    Something simple like a base64 encoded GUID would work.  It doesn't even have to change.  Just add a parameter called "AccessKey" or something similar.  Have your app pass that and let the service validate that it is good.

    Another idea is to have the web service check the http headers to see if it came from the page you authorized to use it.

    Best Regards,
    Amy Peng


    We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
    Click HERE to participate the survey.

    Thursday, December 12, 2013 8:03 AM
    Moderator
  • Are you planning to have a restriction to your web service for Mobile device only?

    If so the best way you can do is by comparing the WCF request header with a known user agent. For example,

    If WebOperationContext.Current.IncomingRequest.UserAgent ==”BlackBerry; U; BlackBerry 9900; en”

    List of user agent string can be found from http://www.useragentstring.com/pages/useragentstring.php

    Refer (Mobile section)

    Note- This code is not tested because of time constraint.



    Lingaraj Mishra

    Thursday, December 12, 2013 1:52 PM

All replies

  • Hi,

    In my mind, by far the simplest way is to have your web service require some type of access key in order to run the operation.

    Something simple like a base64 encoded GUID would work.  It doesn't even have to change.  Just add a parameter called "AccessKey" or something similar.  Have your app pass that and let the service validate that it is good.

    Another idea is to have the web service check the http headers to see if it came from the page you authorized to use it.

    Best Regards,
    Amy Peng


    We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
    Click HERE to participate the survey.

    Thursday, December 12, 2013 8:03 AM
    Moderator
  • Are you planning to have a restriction to your web service for Mobile device only?

    If so the best way you can do is by comparing the WCF request header with a known user agent. For example,

    If WebOperationContext.Current.IncomingRequest.UserAgent ==”BlackBerry; U; BlackBerry 9900; en”

    List of user agent string can be found from http://www.useragentstring.com/pages/useragentstring.php

    Refer (Mobile section)

    Note- This code is not tested because of time constraint.



    Lingaraj Mishra

    Thursday, December 12, 2013 1:52 PM