0

I'm currently maintaining a web application which relies heavily on WCF web services. Currently there is no security for these services, so anyone who knew the address and parameters of the service could access data from them, without even logging into the web application.

Example:

http://www.mydomain.com/webservices/holidays.svc/GetHolidaysForUser?id=1234

This example would just post a JSON string back to the browser without any authentication, what-so-ever.

Unfortunately, WCF is something I'm not overly familiar with, so I have no idea where to start.

NOTE: I've been asked to use Forms Authentication if possible.

Matthew Layton
  • 39,871
  • 52
  • 185
  • 313
  • Do you know/control the clients consuming this wcf service? – rene Aug 19 '13 at 09:17
  • I have an idea where you can start: [WCF Security Fundamentals](http://msdn.microsoft.com/en-us/library/ff650862.aspx). – rene Aug 19 '13 at 09:19
  • @rene, Clients in what respect? (machines, browsers, domains, companies) etc? - Currently only people who are signed up to out application should be able to access the services, but we don't necessarily control how they access the application (i.e specific machines, tablets etc). – Matthew Layton Aug 19 '13 at 09:29
  • `Clients` as in wcf-clients, aka the bits that talk to your service. I was asking that to see if using certificates to authenticate would be an option. – rene Aug 19 '13 at 09:55
  • @rene, from what I've read (thanks for the WCF Security Funamentals) link, It seems that certificates mode seems to be the one to go for. – Matthew Layton Aug 19 '13 at 09:58
  • @rene, that being said - I still have no idea how to implement this. – Matthew Layton Aug 19 '13 at 09:59

2 Answers2

1

One option is the use clientcertificates.

This solution might be an option if you are not able to change the current implementation (what is needed if you are going the 'Forms authentication' route). Remember that dealing with certificates requires the IT Operation to generate and install certificates on both server and clients. If this is feasible in your situation is unclear from your question.

First create certificates (if you're not buying but generating them your self make sure the IT guys are prepaired to add your Root certificate in the Trusted Store, this is also true for the users of your service!)

Add this endpoint behavior clientside

 <behaviors>
      <endpointBehaviors>
        <behavior name="ClientCertificateBehavior">
          <clientCredentials>
            <clientCertificate findValue="client.com"   
                               storeLocation="CurrentUser" 
                               storeName="My" 
                               x509FindType="FindBySubjectName" />
          </clientCredentials>
        </behavior>
      </endpointBehaviors>
    </behaviors>

add/modify this serverside:

 <wsHttpBinding>
      <binding name="wsHttpEndpointBinding">
        <security mode="Transport">
          <transport clientCredentialType="Certificate" />
        </security>
      </binding>
    </wsHttpBinding>

<endpoint binding="wsHttpBinding" bindingConfiguration="wsHttpEndpointBinding"
        name="wsHttpEndpoint" contract="IService" />

configure your webserver to use SSL and require Client Certificates.

This answer is a shortend version of this guide

rene
  • 41,474
  • 78
  • 114
  • 152
  • It is possible to use forms auth with WCF. WCF service hosted in IIS can use all ASP.NET infrastructure including forms authentication. So, you can configure your service to use the cookies for authentication. See related post [here](http://stackoverflow.com/questions/1087271/passing-formsauthentication-cookie-to-a-wcf-service) and [here](http://dotnetspeak.com/2012/01/securing-wcf-with-forms-authentication) – 0leg Aug 19 '13 at 15:13
  • @0leg I'm not claiming that forms authentication is not possible. Given the context of the OP I tried to supply a solution that would achieve what he needs by configuration only, relativly quickly and without the need for a code change. The two links you provided support my line of reasoning but if I missed something I'm open for suggestions – rene Aug 19 '13 at 15:25
  • While the certificate option eliminates code changes, it adds a great deal of administration headaches. Every browser that communicates with the service will need the certificate (including root) installed on that machine. This is practical only in a controlled corporate environment. Certificate also expire periodically and need to be re-installed. – 0leg Aug 19 '13 at 18:52
  • Those are good and in someway valid points which I added to my answer to articulate both trade-offs – rene Aug 19 '13 at 19:03
0

What kind of authentication would you like to implement? Active Directory or a custom database? There are many ways to implement security. If you service and web site are hosted within the company environment I strongly suggest you to use active directory windows authentication. There are plenty of example which describes the step one by one in full details.

qamar
  • 1,437
  • 1
  • 9
  • 12