Best practice for securing web methods when user credentials are involved

Question

User-1177406051 posted

Yes, I have Googled this...looking for real answers.

This seems simple, but I have a web application that consumes a WCF service.

I own both applications, but they are on different servers.

It seems like a gaping security hole to create web service methods like 'UpdateClientProfile(ClientModel Client) // blah and expose that, since potentially any caller can update a client profile.

If web app A is using forms authentication and called WCF service B, how do I verify user from app A is valid and such?

Should I create WCF services the expose everything, and somehow trust the caller, or is there something better than that?

Also consider WCF service B may not have access to implement any role provider from web app A, since the nature of WCF service is to sare with a broad audience of clients.

Thanks.

Answer 1

User1690870723 posted

You would have to use transport security with your wcf service.

For more info:

http://msdn.microsoft.com/en-us/library/ff648863.aspx

Answer 2

User-1662538993 posted

You can have Licensekey and SignatureHash that they have to provide with the method call and you can validate that in your wcf service if valid let them access otherwise response that it is not valid.