Hello,

I have couple of WCF services and seperate web application that utilize methods exposed from WCF Services.

Web application is secured with LDAP authentication and custom roles.

WCF services is hosted in IIS in different server and has no security except default windows authentication

Now my problem is , even though the web application is secured, anyone within the company can write client for WCF services.

How can i secure my WCF Service so that only i or those i authorize can implement client.
 

Why do you care if they write a client, as long as the client can't run?

Some of the methods exposed through WCF Services returns data that should only be accessed by certain user or roles.
My current setup allows anyone to implement client and view data just by having the endpoint information.

just imagine that u want to authorise to role called members.. u can do so by using

[PrincipalPermission(SecurityAction.Demand,Role="members")].. write this line of code above operationcontract.. this wil take care of everything...

Thanks for your reply Anup. I already tried what you suggested.
Problems is , since the WCF service and Web Application are in seperate domain, Users given role from Client Web application is not visible to WCF Service.
---------------
       [PrincipalPermission(SecurityAction.Demand, Role = "Admin")]
        public Employee[] GetEmployeeInfo(string empId)
        {
            // return data...
        }
-------------
Client error.

Access is denied.

What if the wrote a client, but when their client called the service, the service returned an error because it didn't know who they were, or knew, but didn't permit them?

That's called authentication and authorization, and that's what you want. You do not want to prevent people from writing clients,  you want to prevent their clients from ever working if they are either not identified, or are identified, but not permitted.

In the future, would you please use a better subject than "WCF Help"?

Thanks.

johnwsaunders3:

What if theY wrote a client, but when their client called the service, the service returned an error because it didn't know who they were, or knew, but didn't permit them?

That's called authentication and authorization, and that's what you want. You do not want to prevent people from writing clients,  you want to prevent their clients from ever working if they are either not identified, or are identified, but not permitted.

Thanks for the reply. authentication and authorization is exactly where i am having the issue.
Trying to prevent not identified or not permitted users/developers to implement client and if they did, throw error is my original goal.

Ok. Here's the thing you have to be clear about. There's nothing you can do to prevent people from creating a client. All you can do is prevent their client from working. When you say you want to prevent them from creating a client, it just confuses things because it makes no sense.

See the WCF Developer Center on MSDN for a lot of good information, including the Beginner's Guide to Windows Communication Foundation. Also, see Windows Communication Foundation Security, Authentication, and Authorization.