OK,
I have developed this WinForms client, which is a server (ASPX app) Contact WCF calls means I now want to deploy the server in my shared webhost, but I am new to WCF and the security possibilities behind it.
The goal is to secure the WCF service, so not everyone who can know or find the end point can call it. Rather, only my WinForms client should be able to call the WCF service.
I do not need authentication on a user basis, so no authentication is required from the client's user. But I want to be the only example of this WinForms client that be able to interact with the service. The information passed between the server and the client is not very sensitive, so it is not really necessary to secure it, but it can be done easily if it is a plus.
Is it possible with shared host (IIS) environment (no HTTPS in disposal)? What binding and options should I use?
Thanks
What I think is, you have an internet-facing service You just want to restrict your client app to be able to call - right? Or do you want to call other customers (like PHP, Ruby, etc.) in your service at some point of time?
To protect your message, you have two options in the WCF - message or transport security, with the unknown number of hops between your clients and your service on the Internet, transportation security does not work - You are left with the security of the message (encrypting the message, it is known as 'net') To work for it, you usually use your service (server-side only) as a digital address The Rmanptr add, which can be used to encrypt the client search and messages. Only your service will be able to decrypt them - so that you are safe at the end.
The next point is: Who can call your service? If you want to be completely open to anyone, then yes, you need wsHttpBinding (or restart variant - webHttpBinding ). If you want to allow non-.NET clients, you are usually limited to an authentication (can make any call), or user name / password schemes, which you have against the database of legitimate users on the server side Will validate.
If you only have your own If you want to allow the NET client, you can do several things:
-
Disable metadata on your service; With it, you will "hide" your finishing points and the services they provide - using a "metadata scanner" (if that exists) will only stumble on your service and will find out what it is Provides in a manner. Although this can
-
define and use custom binary HTTP binding - as well as other clients making it impossible for any other developer outside your organization. Setup can also call your service Binary HTTP binding will also be used to improve some speed, see how to do it.
-
You need to identify the callers who have been allowed - a potential method to insert an additional header in your WCF messages, then check on the server side. This will only ensure that an informal hacker who detects your service and the data of binary HTTP binding will still be rejected (for at least some time), such a message for WCF inspector extension See how to implement.
-
The final step will be to establish a digital certificate on the client machine with your service. You will set up your client-side proxy to authenticate with the service using that certificate. Only that client machine can call that certificate in your service.
It really depends on how far you want to go - WCF gives you so many options, but you need to decide how much effort you can make Want to do
Comments
Post a Comment