Securing WCF so that it can only be called by Silverlight

Question

Securing WCF so that it can only be called by Silverlight

I am writing a Silverlight application that will read and write data to a server database through some WCF web services.

What is the best way to protect these web services?

My goal is to make sure that services cannot be called by other applications and potentially spam requests to add items to the database. A Silverlight application must have access to them.

+3

security silverlight wcf

James newton-king Jun 27 '09 at 12:46

source share

2 answers

, , Silverlight.

, , : , , , . ( ) , , , .

:

. - ? SSL.
. -, ? (Forms Auth, ). Silverlight ( , Silverlight), WCF. , SSL ( , ) .

+8

Erik Mork 27 . '09 17:00

Don branson · Accepted Answer · 2009-06-27T12:50:39+0000

In general, you cannot assume anything about the client. If you try not to use applications other than Silverlight from your site, an attacker can easily pretend to be a Silverlight application, and you will return to the square.

That is, this is not an effective way to protect the server. To protect your server, assume that all and all clients will get to your site and start from there.

Edit:

Let me fix this by saying that if you want to get into the world of mutual authentication, you can configure PKI to manage certificates, issue user certificates to all your users, and then you know who your users are. However, one of them can be harmful (and talented) and introduce a certificate to another client.

Securing WCF so that it can only be called by Silverlight

More articles: