locked
Best practice for securing web methods when user credentials are involved RRS feed

  • Question

  • User-1177406051 posted

    Yes, I have Googled this...looking for real answers.

    This seems simple, but I have a web application that consumes a WCF service.

    I own both applications, but they are on different servers.

    It seems like a gaping security hole to create web service methods like 'UpdateClientProfile(ClientModel Client) // blah and expose that, since potentially any caller can update a client profile.

    If web app A is using forms authentication and called WCF service B, how do I verify user from app A is valid and such?

    Should I create WCF services the expose everything, and somehow trust the caller, or is there something better than that?

    Also consider WCF service B may not have access to implement any role provider from web app A, since the nature of WCF service is to sare with a broad audience of clients.

    Thanks.

    Friday, January 11, 2013 11:16 AM

Answers

  • User-1662538993 posted

    You can have Licensekey and SignatureHash that they have to provide with the method call and you can validate that in your wcf service if valid let them access otherwise response that it is not valid.

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Friday, January 11, 2013 11:26 AM

All replies

  • User1690870723 posted

    You would have to use transport security with your wcf service.

    For more info:

    http://msdn.microsoft.com/en-us/library/ff648863.aspx

    Friday, January 11, 2013 11:25 AM
  • User-1662538993 posted

    You can have Licensekey and SignatureHash that they have to provide with the method call and you can validate that in your wcf service if valid let them access otherwise response that it is not valid.

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Friday, January 11, 2013 11:26 AM