0

I have a WCF web service that needs to be consumed by a Coldfusion application. That's not the real problem. The problem is that the service runs under IIS with a specific user. How can i tell when the target application is calling the service that the specific application is calling the service and not a ghost app.

For example:

application x is calling service y and it should be okay. also application z is calling service y and it shouldn't be allowed to do so.

GxG
  • 4,491
  • 2
  • 20
  • 18

3 Answers3

1

Based on comments in the answer from @Justin, it seems the CF client can only support the WS-I Basic Profile. This uses the built-in HTTP Basic authentication mechanism. Here is an article that explains how to configure a WCF service for this mode of authentication.

This article explains how you need to configure IIS to actually support HTTP Basic authentication. You can skip creating a custom authenticator if you set IIS host machine to have either a local machine (prefered) or domain Windows account that match the user name and password submitted to the service. Otherwise, the custom validator you write will determine who is authorized to invoke your service.

To respond to comment question: If you didn't configure IIS as in the second article, then you would get anonymous as the user of your service.

Sixto Saez
  • 12,610
  • 5
  • 43
  • 51
  • by any chance do you know why when calling the web service from the coldfusion with and username and password hardcoded it doesn't work but when calling the web service from the same computer but from Internet Explorer with the same username and password it works just fine? :D – GxG May 03 '11 at 08:56
  • 1
    Sorry, I'm not familiar with coldfusion at all. You could update the question with more detail about error messages and how you are successfully connecting from IE (e.g. is IE prompting you for a user & password). The link below has some specific troubleshooting info for cfinvoke. Link: http://ask.metafilter.com/149196/Debugging-CFML – Sixto Saez May 03 '11 at 13:22
0

It sounds like you need to set up some sort of authentication for your WCF Service:

Security Messages Using Message Security

The long in short of it is that you would provide a token or username/password to authorized applications and then they would pass that information to you along with their request. You can then validate that the calling application is authorized to use your service or not.

Justin Niessner
  • 242,243
  • 40
  • 408
  • 536
  • when calling the wcf service on the coldfusion part there is a command cfinvoke which take parameters username and password... but how can i read them on the other end? VIA IIS or inside the application itself? – GxG May 02 '11 at 13:33
  • @GxG, you need to determine whether the ColdFusion client is able to interoperate with the WS-* soap standards. If it can then this answer will work. Otherwise, it probably only supports the WS-I Basic profile. In this is the case you'll need to configure the WCF service to implement basic authentication with the basicHttpBinding. See this question & answer: http://stackoverflow.com/questions/2904883/how-can-i-use-wcf-with-only-basichttpbinding-ssl-and-basic-authentication-in-iis – Sixto Saez May 02 '11 at 13:49
  • @Sixto Saez: tried that but the problem is i need this service to run under a specific user so basic authentication isn't quite the answer, or maybe i'm doing this wrong... either way i need to authenticate the call from the coldfusion app. coldfusion sends credentials but i receive anonymous... – GxG May 02 '11 at 14:38
0

If you are talking about the security on your WCF service, the answer would be to apply a security layer. For example, you could do basic security, where each authorized application uses a username and password to access the service. However, if you want something like Active Directory authentication, you will need to use a more complex authentication setup. One way to do that would be to use WIF (http://msdn.microsoft.com/en-us/magazine/ee335707.aspx). There are some good examples out there of how that can be implemented to allow for more secure WCF applications.

IAmTimCorey
  • 16,412
  • 5
  • 39
  • 75