WCF Security Transport Security Questions

Posted by shyneman on Stack Overflow See other posts from Stack Overflow or by shyneman
Published on 2009-12-07T21:23:16Z Indexed on 2010/04/16 8:03 UTC
Read the original article Hit count: 745

Filed under:
|

I'm writing a set of WCF services that rely on transport security with Windows Authentication using the trusted subsystem model. However, I want to perform authorization based on the original client user that initiated the request (e.g. a user from a website with a username/password). I'm planning to achieve this by adding the original user's credentials in the header before the client sends the message and then the service will use the supplied credentials to authorize the user. So I have a few questions about this implementation:

1) using transport security with windows auth, I do NOT need to worry about again encrypting the passed credentials to ensure the validity... WCF automatically takes care of this - is this correct?

2) how does this implementation prevent a malicious service, running under some windows account within the domain, to send a message tagged with spoofed credentials. for e.g. a malicious service replaces the credentials with an Admin user to do something bad?

Thanks for any help.

© Stack Overflow or respective owner

Related posts about wcf-security

Related posts about wcf