Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

WCF and Authentication

i need to pass a value from client everytime a request sent to WCF and check that value on server and decide to make the request or not, can any one write an example of that ?im not sure how is that is going be implemented

case: im generating a key based on the hardware of the client and i want to send that key to the server with every request to check if the key is accepted in the server db and then decide to process the request or not.

thanks in advance.

like image 264
Stacker Avatar asked Sep 02 '10 08:09

Stacker


People also ask

How do I provide security to WCF?

To secure an application that runs exclusively on a Windows domain, you can use the default security settings of either the WSHttpBinding or the NetTcpBinding binding. By default, anyone on the same Windows domain can access WCF services. Because those users have logged on to the network, they are trusted.

Is WCF secure?

WCF provides a secure, reliable, scalable messaging framework that can work over any protocol in any network. However, you need to secure your WCF service from phishing attacks when passing sensitive information through the network.


2 Answers

You are looking for message inspector. Check this article.

Edit:

Mentioned approach is the easiest one in your case. You will create client message inspector to add custom header and dispatch message inspector to extract header and validate key. If the key is not valid you will throw an exception.

The clean solution is to create custom token and cutom credentials but it is really complex so unless you want to dive deeply into WCF security implementation use message inspectors.

like image 111
Ladislav Mrnka Avatar answered Oct 21 '22 20:10

Ladislav Mrnka


I've implemented something like this to deal with some particularly "custom" authentication where methods are allowed or denied based on database state. It uses PerSession implementation, which allows you to avoid passing that key every time, since you can maintain the proxy for the duration of execution. It also provides some performance benefits by eliminating the overhead of instantiating the proxy repeatedly (may not be an issue depending on your design).

  1. Implement your service with an InstanceContextMode of "PerSession" [ServiceBehavior(InstanceContextMode = InstanceContextMode.PerSession)]
  2. Provide an initialization method in your service which accepts the key, and keeps a reference to it.
  3. In your service's methods, check that key, other conditions, etc. to determine what you need to do.
  4. Now when you instantiate the client proxy, call that initialization method first passing the key, and from that point forward you can proceed to make calls without it.
like image 39
msulis Avatar answered Oct 21 '22 20:10

msulis