I am moving from ASMX web services across to WCF. With ASMX, for security purposes I passed a password as a parameter to my web methods. I'd like to introduce a better layer of security going forward. Theoretically an attacker could decompile my application that consumes the web service, extract the password and consume the web service maliciously. Can I make it in some way so that the web service can only be consumed by my client application and not by any other means including a decompiled version of its executable? Does WCF introduce any any superior security methods? I notice that the client object that consumes the web services has properties for credentials. What exactly are these properties and how are they implemented?
0
votes
1 Answers
0
votes
A good way to add security, when using WCF, is through message security (WCF also supports transport security but this has some quirks) which is configured in the binding on an endpoint, very straightforward. With this security you authenticate clients via a username or password or even a SQL membership store (with the correct configuration)
Check this example out: http://dotnetmentors.com/wcf/wcf-message-level-security-by-example.aspx
Biggest benefits are quick bolting on of secure messaging and not having username and password parameters on your operations!
