XML Web Services

Re: WCF Help

johnwsaunders3 — Mon, 06 Jul 2009 00:56:58 GMT

Ok. Here's the thing you have to be clear about. There's nothing you can do to prevent people from creating a client. All you can do is prevent their client from working. When you say you want to prevent them from creating a client, it just confuses things because it makes no sense.

See the WCF Developer Center on MSDN for a lot of good information, including the Beginner's Guide to Windows Communication Foundation. Also, see Windows Communication Foundation Security, Authentication, and Authorization.

Re: WCF Help

usplimpatt — Mon, 06 Jul 2009 00:11:51 GMT

johnwsaunders3:

What if theY wrote a client, but when their client called the service, the service returned an error because it didn't know who they were, or knew, but didn't permit them?

That's called authentication and authorization, and that's what you want. You do not want to prevent people from writing clients, you want to prevent their clients from ever working if they are either not identified, or are identified, but not permitted.

Thanks for the reply. authentication and authorization is exactly where i am having the issue.
Trying to prevent not identified or not permitted users/developers to implement client and if they did, throw error is my original goal.

Re: WCF Help

johnwsaunders3 — Sun, 05 Jul 2009 23:38:53 GMT

In the future, would you please use a better subject than "WCF Help"?

Thanks.

Re: WCF Help

johnwsaunders3 — Sun, 05 Jul 2009 23:37:28 GMT

What if the wrote a client, but when their client called the service, the service returned an error because it didn't know who they were, or knew, but didn't permit them?

That's called authentication and authorization, and that's what you want. You do not want to prevent people from writing clients, you want to prevent their clients from ever working if they are either not identified, or are identified, but not permitted.

Re: WCF Help

usplimpatt — Sun, 05 Jul 2009 13:10:09 GMT

Thanks for your reply Anup. I already tried what you suggested.
Problems is , since the WCF service and Web Application are in seperate domain, Users given role from Client Web application is not visible to WCF Service.
---------------
       [PrincipalPermission(SecurityAction.Demand, Role = "Admin")]
        public Employee[] GetEmployeeInfo(string empId)
        {
            // return data...
        }
-------------
Client error.

Access is denied.

Re: WCF Help

anup1252000 — Sun, 05 Jul 2009 04:17:35 GMT

just imagine that u want to authorise to role called members.. u can do so by using

[PrincipalPermission(SecurityAction.Demand,Role="members")].. write this line of code above operationcontract.. this wil take care of everything...

Re: WCF Help

usplimpatt — Sun, 05 Jul 2009 03:55:51 GMT

Some of the methods exposed through WCF Services returns data that should only be accessed by certain user or roles.
My current setup allows anyone to implement client and view data just by having the endpoint information.

Re: WCF Help

johnwsaunders3 — Sun, 05 Jul 2009 02:20:52 GMT

Why do you care if they write a client, as long as the client can't run?

WCF Help

usplimpatt — Sat, 04 Jul 2009 20:01:58 GMT

Hello,

I have couple of WCF services and seperate web application that utilize methods exposed from WCF Services.

Web application is secured with LDAP authentication and custom roles.

WCF services is hosted in IIS in different server and has no security except default windows authentication

Now my problem is , even though the web application is secured, anyone within the company can write client for WCF services.

How can i secure my WCF Service so that only i or those i authorize can implement client.