How to restrict access and use encryption in WCF RRS feed

  • Question

  • Hi

    I have few important questions related to WCF when it comes to restricted access and data encryption. Please be kind enough to contribute your expert knowledge to help me to find a suitable arrangement for this whole set up so that only desired parties can communicate using WCF.

    Imagine, a company called has a web application which has been developed as a ASP.NET MVC 4.0 web application using Visual Studio .NET 4.5 framework and let's call the project name "MainProject" or project 1 in visual studio. The company web services are living inside a separate project (2) folder. There is also a web client sitting in project folder 3, who is supposed to consume services in project folder 2. The services are WCF services and there is a svc file (directive) inside project 1, which is pointing to services inside project 2. The MVC project (1) has been published to IIS and it is live on a domain called The service definitions can be accessed using 

    1. There are two legacy flash web applications owned by the same company wants to consume above services. One is sitting in the same domain but the other one is sitting on a different domain.

    2. The company web client (project 3) also wants to consume above services but it may or may not be deployed into same domain. 

    3. We don't want other third parties to access above services other than those two flash applications and company web client. 

    So how we can achieve this. 

    We can use wsHttpBinding to encrypt the messages to avoid malicious tampering the messages. 

    Cross Domain Policy file can be placed in the IIS website root folder so that flash can use it to get access.

    We also can add base addresses to App.config files to  nominate inform which domain names are sending requests.

    But I am not really sure about my knowledge.

    Can you please help me to understand more and direct me to good resources that explain the related knowledge.

    The resources should be latest ones that aim Visual Studio 2012 or 2013 and IIS hosting of WCF.
    Thank you 

    Saturday, December 5, 2015 2:42 AM


  • Hi NathanSen,

    According to your description, in my opinion, perhaps we can try use username and password

    authentication to validate the client user. As far as I know, we can use the PrincipalPermissionAttribute

    to restrict access control the WCF.

    For more information, please refer to the following articles:

    1.How to: Restrict Access with the PrincipalPermissionAttribute Class 

    And we can use the SSL to protected our transfer channel. And you can refer the following link:

    2.How to: Configure an IIS-hosted WCF service with SSL

    Best Regards,

    Wanjun Dong

    We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place. Click HERE to participate the survey.

    Friday, December 11, 2015 7:32 AM