Hello,
I have a WCF web service. This web service should only allow certain client applications (built with technologies like Silverlight, Flex, ClickOnce, etc) to execute it's functionality. In an attempt to accomplish this, I have started each publicly visible method with the following code:
if (IsClientValid(...) == false) return;
My question is, what should I check for? I have considered passing a unique identifier as a string parameter and then passing that parameter to the IsClientValid method. However, I know that someone could use a tool like Fiddler to sniff out that parameter value and use it in their own applications. How do I uniquely identify my client applications such that only they can utilize my WCF web services?
Thank you
-
Depending on how far you want to go you can do any number of things. In an app I worked on we did the following:
Message security - to encrypt your messages, client must provide credentials (userNameAuthentication) with server providing serviceCertificate for message encryption.
Custom encrypted Soap Headers were used to provide client details with each message after the initial login. This header is encrypted using a combination of values taken from the client applciation and values retrieved from the server in the intial call.
All client outgoing messages attach the encrypted header, which the server extracts/decrypts upon reciept and the base service verifies that the required values are present.
In addition to this, a collection of encrypted headers are stored server side to guard against replay attacks using sniffed headers.
I can provide additional resources/links to how to achieve some of this if you think you could use some of it.
Edit: Assuming that the client apps are under your control.
-
Check out client cert authentication. The basic idea is that the https connection will fail unless the client sends a valid cert, where you get to determine what is valid.
0 comments:
Post a Comment