WCF Service Authentication

Question

Environment

WCF , VS 2008, ASP.NET 3.5

Like to know forms based security is secure enough to access the methods that are exposed through WCF Service?

I have a Umbraco (CMS) where ASP.NET custom control is used to retrieve some data using the methods that are exposed through WCF Service. Umbraco generated website is released/published on internet. So when ever there is a request for the page where custom control is used in Umbraco, methods are accessed/consumed through WCF Service.

So is it secure enough to hard code User name with Password in Custom control , so that when ever there is a request for the page credentials are validated, if they are authenitcated Service methods are accessible else denied.

OR

When ASP.NET Application running on IIS it runs under ASP.NET Net Work Service, so whenever there is a request to WCF Service can this be handled in best way?

I think the first approach is secured.

your help and insight is appreciated.

Thanks,

---

Apriori algorithm [association rule]

Answer 1

You can use Windows authenciation and restrict access to Network Service account. Hard coding usernames and passwords is not good.

Answer 2

You can use Windows authenciation and restrict access to Network Service account. Hard coding usernames and passwords is not good.

Thanks, but end users come from around the world. How it is feasible to filter the request. Hard coding is not a standard practice ever, should be ASP.NET Membership provider used in near future, mean time in order to make sure that there is no potential threat i think that hard coding these credentials is good enough?

---

Apriori algorithm [association rule]

Answer 3

End users come from around the world, but they are not accessing your service directly, so your WCF service doesn't need to authenticate them. Your web application (running with Network Service account) is accessing the service, so it can access the service with Windows Authentication (or X509 certificate).

Answer 4

Hi Sukumar,

For the ASP.NET Control which calls the WCF service, is it a standard webserver control or some rich client control(such as Activex, silverlight or ...)?  If ASP.NET server control, it runs at server-side, therefore, we can just rely on the authentication of ASP.NET page(which contains the control) and for the server control it can always access the WCF service(do not need to do further authentication when calling WCF service) if you feel the forms authenticaiton at ASP.NET page level is sufficient.

More info about trusted subsystem pattern in .NET service application:

#Trusted Subsystem
http://msdn.microsoft.com/en-us/library/ff649178.aspx

---

Please remember to mark the replies as answers if they help and unmark them if they provide no help.