WCF Security Transport Security Questions
Posted
by shyneman
on Stack Overflow
See other posts from Stack Overflow
or by shyneman
Published on 2009-12-07T21:23:16Z
Indexed on
2010/04/16
8:03 UTC
Read the original article
Hit count: 752
wcf-security
|wcf
I'm writing a set of WCF services that rely on transport security with Windows Authentication using the trusted subsystem model. However, I want to perform authorization based on the original client user that initiated the request (e.g. a user from a website with a username/password). I'm planning to achieve this by adding the original user's credentials in the header before the client sends the message and then the service will use the supplied credentials to authorize the user. So I have a few questions about this implementation:
1) using transport security with windows auth, I do NOT need to worry about again encrypting the passed credentials to ensure the validity... WCF automatically takes care of this - is this correct?
2) how does this implementation prevent a malicious service, running under some windows account within the domain, to send a message tagged with spoofed credentials. for e.g. a malicious service replaces the credentials with an Admin user to do something bad?
Thanks for any help.
© Stack Overflow or respective owner