stackoom
  简体   繁体   中英

Best way to secure a WCF service on the internet with few clients

 原文  2015-02-11 02:07:52       c#/ web-services/ wcf/ security

Question

I am looking to expose a service to a selection of clients over the internet. At this stage the api is very small, and I only want known clients to be able to access the service. I don't need to be able to identify the clients now, however I envisage that in future I will need to be able to identify clients, as the api grows.

I'm wondering what the best way to secure the service is in the short term, with a view to the longer term where I may want to be able to authorise client access to specific methods on the service?

I was thinking of using Transport security - ie SSL. Should I also look at using Message security with 

clientCredentialType="certificate"

in which clase each client will have their own certificate that will authenticate them with the service?

Or should I simply provide each client an API key which will provide a similar level of client differentiation?

Any other suggestions welcome.

Note that this is a service to service interface - ie not a client application. The number of users of the service will be limited, and I don't foresee needing to apply security at the data level, moreso at the method access level.

3 answers

solution1
 1  2015-02-11 02:15:41

给每个人一个密钥,他们必须提交一个带有他们请求的SHA签名(他们传入的一些/所有参数的编码版本,所以你也可以做SHA并检查它是否匹配)。

solution2
 1  2015-02-11 02:23:27

The simplest approach for now would be to add SSL to your IIS host and then change the clients to connect on HTTPS, like this... 

      <security mode="Transport">
        <transport clientCredentialType="None" />
      </security>

solution3
 0 ACCPTED  2015-02-11 04:54:41

You could use custom user name/password authentication to authenticate users or AD Authentication to control who can use the service.

Best solution to my mind as for now as you do not want to identify the users is to use the custom user name/password authentication and allow every one for now. In future when you want to identify users, change the code and put validation in.

Refer to https://msdn.microsoft.com/en-us/library/aa702565(v=vs.110).aspx . In the validate function, don't throw any exception for now

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question What is the best way to check clients connection in WCF Best way to wait for WCF service? Best authentication/security strategy for WCF service with multiple clients Reuse of WCF service clients WCF service calls to clients Best way without an internet lookup to secure a paid for application Best way to keep a list in a wcf service memory Best Way To Frequent Access to WCF Service What is the most secure way to connect to a WCF Service from monodroid? install WCF service in IIS (clients)
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM