Home/ Questions/Q 7093337
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-28T08:25:37+00:00

We are using WCF services. Right now, we are using Windows Auth but this

  • 0

We are using WCF services. Right now, we are using Windows Auth but this is not for long. Some services will sit outside the firewall and use username/password verified in the database.

My tech lead is “scared” at how easy any user can “Add Reference” to the services we have and just party on. He wants to “guard” the services by adding another identity – the application. He wants the service to accept requests from certain applications so the certain users cannot just use the service – add reference to it and call. It’s the notion of the application having an identity + credentials that is the operative principle here, as services on the network may need to authenticate those credentials prior to fulfilling a request, in order to prevent rogue code inside the network (i.e., NOT the application) from accessing services using “Joe User” end-user credentials.

Does this make any sense?

Then he believes the Juval Lowy’s book has, in an Appendix that discusses sending more than one identity during a WCF call (Security Interceptor). There is no specific suggestion that all of those have to be end-user identities and if that is the case, one of those could be the identity of the application making the request.

How can this be done?

Thanks,
Sam

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    The problem with sending an application identity is that the secret used to confirm that identity has to be stored somewhere. If it is visible to one application on a machine then generally it will be visible to other applications running under the same identity.

    Would your manager be happy with “it came from an authorised machine”? If that’s the case you could simply use Client Certs

    Its also worth taking a step back: if the user is authenticated and is authorized to perform the functionality they have requested, why do you care which application they came from – if they are who they say they are and they are allowed to do what they are requesting then why couldn’t they use, say, fiddler to make the request – isn’t that the point of a service (rather than a closely coupled client server app)?

    • 0