I want to design a WCF service for my client that can be called via the internet from my client’s business partner. What WCF security strategy should I apply so as to prevent the scenario in which the business partner gives his username/password for the service to a competitor of my client, allowing the competitor to call the service such that the service thinks it is the business partner calling. I.o.w. is there a way in WCF security to verify that the caller of the service is indeed the business partner and not a 3rd party using the business partner’s username/password? Any advice would be much appreciated.
Share
That is usually handled by agreements among partners. Your partner must sign NDA with $$$ sanctions for providing your confidential information to other party.
People are responsible for securing credentials. You can never secure your service enough to avoid any disclosure of credentials. Even client certificate can be installed on another machine.
The ways to make this harder go beyond WCF – access lists for IP addresses, VPN tunnels, etc.