I am brand new to WCF. Never created one before. I have been asked to create a proof of concept for our team, and the spec is: “We need a method of securing and locking down our webservices so that the communication is secure, and the call can be authenticated to be from a valid client.”
That’s it. We have a few sub systems that speak to each other with unauthenticated WCF calls, I believe. They want this to be locked down, using a token or ‘shared key’.
I’d like to create a small console app, which acts as a web service server, and then a client console app, which speaks to it, and it looks like a good approach would be uisng extra headers (I read that on here somewhere) and IClientMessageInspector (??). Does this seem like a valid kick off?
But I am new to WCF.. and have no idea what IClientMessageInspector is. It seems like I can make a custom method there to check for tokens or something in the WCF call?
I would like an example, but am battling to find out, and the terminology is killing me. Hopefully someone can assist.
Easiest route is using BasicHttpBinding with transport security (SSL), each client can have it’s own (or a shared) certificate which is used for authentication and your data is encrypted as well (SSL).
Only clients with a known certificate will be able to call the service. Here is a good article on the subject BasicHttpBinding with Client Certificate