All geek questions in one place

WCF Endpoint Security

As an argument, let's say that I have a basic WCF service. In addition to introducing authentication methods (login / logout), what prevents someone from simply hacking Visual Studio by adding a web link to my site and then playing with my service? I am not familiar with the method to stop someone from doing this. The idea that someone downloads all my Data / Operation contracts and then starts playing, keeps me up at night, and I like my dream!

+4
source share
2 answers

Discovery is a factor underlying web services and especially SOA. The ability of anyone who can get to the service to pull out WSDL, create a proxy in Visual Studio (or some other tool), and start using this service is one of the main reasons for creating a web service!

I assume that you could generate all the client proxies and then disable the mex endpoint, but that pretty much cripples WCF, and even then it's just security through obscurity.

If you do not want any attacker to click on your web service, either do not use basicHttpBinding (which is for the explicit purpose of immediate and anonymous consumption), or host the service on a private network that only trusted clients can trust.

+4
source

Some form of authentication or encryption is the only thing that can prevent this. You must distinguish between those that you want to grant access to and those that you do not have. Give the ones you want to receive the certificate needed for encryption, or username and password.

Do not give anything to others.

+1
source

Source: https://habr.com/ru/post/1304334/

More articles:


All Articles