0

I have an MVC4 ASP.net financial application with a WCF service. The current scenario isn't secure enough and I need you help with that.

The current scenario:

  1. The user login using a login form, and I send his login details using a JSON object containing the UserID and the Password to the WCF service:

    http://example.com:22559/Login

    This returns a JSON object with a true or false.

  2. If it's true, I use the ASP function

    FormsAuthentication.SetAuthCookie(loginModel.UserID, loginModel.RememberMe);

    to set authorization cookies to use it later.

  3. When the user adds a new Transaction I send a JSON object containing the transaction details without the password to:

    http://example.com:22559/AddTransaction

    I depend here that the MVC controller will not allow the user to access the transaction page if he isn't logged in.

The problem is anyone can now sneak-out and add a transaction without entering the password!, using the URL:

http://example.com:22559/AddTransaction

What I need to do now, is to make the WCF service itself secured, but I don't know how to do that without making the user enter his username and password each time he adds a new transaction!, so, what is the proper way to do that?

Thanks in advance.

M.Nour
  • 95
  • 2
  • 7
  • Get some professional help. Especially a crypto expert. What I want to tell is: If this is a serious financial application and you do not solve this in a state of the art way, you will get some serious legal trouble. – Mare Infinitus Jul 20 '14 at 10:24
  • Thank you Mare, it's for me, a learning app. but I don't know the proper way and I can't find a useful tutorial to do that. If you can guide me please do. – M.Nour Jul 20 '14 at 10:40
  • I would recommend starting with this https://www.owasp.org/index.php/Web_Service_Security_Cheat_Sheet and to read lots about that http://stackoverflow.com/questions/853620/secure-web-services-rest-over-https-vs-soap-ws-security-which-is-better – Mare Infinitus Jul 20 '14 at 16:07

1 Answers1

0

MVC 4's controllers typically use MemberShipProvider for authentication and RoleProvider for authorization. So your WCF services may share the providers.

For authentication, you don't need to do anything in WCF codes. For authorization, it is handy to decorate respective operation implementation function (not interface) with PrincipalPermissionAttribute with the Role name defined. The rest will be done in config and by runtime.

For more details, just search "membershipprovider wcf", you will find a lot articles/tutorials in MSDN, CodeProject and StackOverflow.

Please be mindful that in MVC 5 if you will be moving to MVC5, Identity 2.0 is used by default, and MembershipProvider and RoleProvider will not be their by default. Nevertheless, your WCF codes should remain unchanged, and only some elements under ServiceModel will need to adapt the new custom authentication and authorization, and the client codes should remain the same as well, no config change needed.

ZZZ
  • 2,752
  • 2
  • 25
  • 37
  • Thanks Andy, but I have a question. If I used the ASP MemberShipProvider in the WCF, will I be restricted to use the WCF with ASP only? or may I use it with other things like an Android App. for example? – M.Nour Jul 20 '14 at 13:14
  • The provider things are the implementation on the server side, of which the clients including those running on Android have NO knowledge. In other words, As long as the client requests contain credentials, they should not care about WCF, ASP, MVC or .NET. Say, if the binding is http or https, the transportation is SOAP with credentials embedded. SOAP is platform neutral/independent. – ZZZ Jul 20 '14 at 18:12