Last post Jan 11, 2013 11:26 AM by kushalrdalal
Jan 11, 2013 11:16 AM|agent_smith|LINK
Yes, I have Googled this...looking for real answers.
This seems simple, but I have a web application that consumes a WCF service.
I own both applications, but they are on different servers.
It seems like a gaping security hole to create web service methods like 'UpdateClientProfile(ClientModel Client) // blah and expose that, since potentially any caller can update a client profile.
If web app A is using forms authentication and called WCF service B, how do I verify user from app A is valid and such?
Should I create WCF services the expose everything, and somehow trust the caller, or is there something better than that?
Also consider WCF service B may not have access to implement any role provider from web app A, since the nature of WCF service is to sare with a broad audience of clients.
Jan 11, 2013 11:25 AM|Specs|LINK
You would have to use transport security with your wcf service.
For more info:
Jan 11, 2013 11:26 AM|kushalrdalal|LINK
You can have Licensekey and SignatureHash that they have to provide with the method call and you can validate that in your wcf service if valid let them access otherwise response that it is not valid.