Menu
I have a WCF web service that exposes several business methods. I also have two clients - an asp.net GUI and a data migration application that both connect to the wcf backend to invoke various business transactions.
I need my backend to be able to identify and distinguish between which wcf client has made a call to some variant logic.
Is there a way that my WCF service is able to identify clients connected to it? Also is there a way to use a signed key to prevent a client from spoofing their identity?
226
A WCF client is a local object that represents a WCF service in a form that the client can use to communicate with the remote service. WCF client types implement the target service contract, so when you create one and configure it, you can then use the client object directly to invoke service operations.
A service's endpoint identity is a value generated from the service Web Services Description Language (WSDL). This value, propagated to any client, is used to authenticate the service.
To configure a service to authenticate its clients using Windows Domain username and passwords use the WSHttpBinding and set its Security. Mode property to Message . In addition you must specify an X509 certificate that will be used to encrypt the username and password as they are sent from the client to the service.
You can solve this via a custom header.
You can add a custom header as part of the endpoint in the client application's configuration file. You would then make each client's custom header different. For example, in the ASP.NET version:
<endpoint
name="basicHttpEndpoint"
address="http://localhost:8972"
binding="basicHttpBinding"
contract="MySeriveContractLib.IMyService"
>
<headers>
<ClientIdentification>ASP_Client</ClientIdentification>
</headers>
</endpoint>
Then the service can check the header value like so:
public void MyServiceMethod()
{
var opContext = OperationContext.Current;
var requestContext = opContext.RequestContext;
var headers = requestContext.RequestMessage.Headers;
int headerIndex = headers.FindHeader("ClientIdentification", "");
var clientString = headers.GetHeader<string>(headerIndex);
if clientString=="ASP_Client"
{
// ...
}
else
{
// ...
}
}
In order to identify the type of caller (ASP.NET vs. WInforms or whatever), you probably need to add a custom header to your WCF messages - there's no way the service can know anything about the calling client unless it's part of the message or the headers sent. For this, your best bet is to write a WCF Message Inspector - and this blog post here will show you how to do this.
As for security - depends on your environment. In a corporate LAN behind a firewall - use the Windows credentials. If you're "outside facing", your best bet would be to install digital certificates on the clients to verify their identity.
WCF Guru Juval Löwy has a really good article on MSDN Magazine, Declarative WCF Security, that describes five common security scenarios in WCF and how to implement them. Highly recommended reading.
31
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
