WCF - client security with web control in CMS

Question

Scenario:

We have developed a wcf web service which links to a database inside our firewall / dmz. The web service and client application (data capture web forms) are required to be hosted on our internet facing web server. This is because it needs to be accessed by web controls that will be hosted by our third party CMS (host our main website).

Issue:

We want to ensure the data can be passed as securely as possible, but we would be cautious about the sharing certificates between ourselves and our CMS provider (and vice versa). We would prefer the web controls are hosted as https but all the documentation I have read says this requires certificates to authenticate. I have been looking into applying additional custom security between the client and svc (custom bindings, username/password applied in code behind, restricting call by IP address) but I wanted to know if anyone else had come across this scenario.

Am sure there must be examples of applying custom security when a third party is hosting the web controls for an application, but so far I've only found online the 'it's certificates or nothing' comments. Any help or guidance greatly appreciated.

Example of the many links viewed so far include:

• WCF message security without certificate and windows auth

• http://www.codeproject.com/Articles/59927/WCF-Service-over-HTTPS-with-custom-username-and-pa

• WCF Service configuration HTTPS with CustomBinding

I've looked to apply suggested settings e.g. in the <wshttpBinding> and <serviceCredentials> below while adding a new 'Secure' class to contain the custom username/password validator but get "svc...does not implement inherited member..." errors.

<wsHttpBinding>
    <binding name="EndpointBinding">
      <security mode="TransportWithMessageCredential">
        <transport clientCredentialType="None"/>
        <message clientCredentialType="UserName"/>
       </security>
    </binding>
  </wsHttpBinding>

<serviceCredentials>
  <userNameAuthentication
    userNamePasswordValidationMode="Custom"
customUserNamePasswordValidatorType="My.WcfSvc.Authentication.Secure,
    My.WcfSvc" />
</serviceCredentials>

Answer 1

I'm best-guessing at your architecture from what you've written, but here are some thoughts on your implementation:

1. If you absolutely MUST use WCF to accomplish this and it is being done server to server, I would do so via X-509 Certificates. It gives you point to point security. I would also add some less important but ancillary aspects to your security implementation on IIS, such as IP restrictions, zero metadata implemented on production etc. If you aren't doing this server to server and have web-originated traffic calling these methods, I would reconsider your architecture and think about option #2.

2. If you still have time to accomplish this in a different fashion and have the power to change the other side of the development process, I much prefer a token-based architecture for Web APIs delivered over HTTPS w/JSON. Not only can you identify pre-shared tokens you've given to partners, with IP / DNS restrictions around those, you can also have a two-step authentication process before data is even processed. This gives you the ability to issue temporary tokens for data transfer that expire quickly. On top of that, you can also encrypt the JSON using something like CryptoJS which has up to 512 encryption using a pre-shared salt between you and your partner https://code.google.com/archive/p/crypto-js/ - mostly unnecessary, but something to add to your quiver. In general two-step gives you a much more robust validation process and peace of mind.

Hope even a smidgen of this helped. Good luck with your integration!

Edit: I've realised I'm a little late to this particular party. I hope it went well. What did you end up implementing, OP?