locked
Basic authentication in Wcf Rest Service RRS feed

  • Question

  • User-1799376286 posted
    I am new to wcf rest service and got a question about implementing of basic authentication on wcf reset service. I have seen articles where on calling the web service method the call an encoded method made first that also sits within the wcf and validate the input parameter and if successful then proceed further with the web service. E.g encode64(yrey7dhjt5g) My question is an attacker can call the same method and pass the same parameter as the code would be viewable if the call is made on client side using jquery, then how this authentication works? Apologies if I am missing the point here.
    Monday, June 10, 2013 1:36 PM

Answers

All replies

  • User-488622176 posted

    I know of ticket based authentication schemes where a client sends a ticket to a service, where the ticket can be validated. I know other schemes that prevent replay attacks. However, I'm not familiar what you try to achieve.
    What is your problem? What do you want to do/avoid ?

    Monday, June 10, 2013 4:44 PM
  • User-1799376286 posted

    Basically I am trying explain the scenario when a wcf service call would be made through Jquery. 

    As Jquery is client side then the code is readable in page viewsource. 

    Lets suppose my service url is: http://mydomain.com/restservice.svc/getdata;

    I dont want hanckers to call the above service, rather I prefer to place some sort of password that would be authenticated first before a call been made. 

    The problem is whatever password i pass, the hacker can read it from page viewsource.  even if i pass fff99 and then decrypt it within the service then the value is still readable in view source and can be passed by attacker aswell.

    Monday, June 10, 2013 5:14 PM
  • User-488622176 posted

    If both the service & web app are running in same appdomain (ex: same site), why not encrypt the password using AES, and storing the encryption/decryption key in application state? This would allow the key to be shared. You could for example store a keypair <DateTime, Key> where DateTime is the lifespan of the password. If the actual date is beyond this timestamp, regenerate the key. You can encrypt the password in the jscript with the encryption key.

    Does this work out for your case?

    Monday, June 10, 2013 5:43 PM
  • User-1799376286 posted

    Illeris

    If both the service & web app are running in same appdomain (ex: same site), why not encrypt the password using AES, and storing the encryption/decryption key in application state? This would allow the key to be shared. You could for example store a keypair <DateTime, Key> where DateTime is the lifespan of the password. If the actual date is beyond this timestamp, regenerate the key. You can encrypt the password in the jscript with the encryption key.

    Does this work out for your case?

    Unfortunately its not a solution in my case as the client and service are on different domains.

    was wondering Is it possible to find the domain from where a request has been made within a wcf Restservice?

    Monday, June 10, 2013 5:45 PM
  • User-488622176 posted

    It is : http://stackoverflow.com/questions/10616995/wcf-3-5-find-the-url-the-client-used-to-get-to-the-service-server-side

    However, this info is not fool-proof.  It can be manipulated, al be it not by a few clicks...

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Tuesday, June 11, 2013 4:15 AM