How do I securely authenticate the calling assembly of a WCF service method?

Posted by Tim on Stack Overflow See other posts from Stack Overflow or by Tim
Published on 2010-06-14T08:56:34Z Indexed on 2010/06/18 9:13 UTC
Read the original article Hit count: 477

Filed under:
|
|
|

The current situation is as follows: We have an production .net 3.5 WCF service, used by several applications throughout the organization, over wsHttpBinding or netTcpBinding. User authentication is being done on the Transport level, using Windows integrated security. This service has a method Foo(string parameter), which can only be called by members of given AD groups. The string parameter is obligatory.

A new client application has come into play (.net 3.5, C# console app), which eliminates the necessity of the string parameter. However, only calls from this particular application should be allowed to omit the string parameter. The identity of the caller of the client application should still be known by the server because the AD group limitation still applies (ruling out impersonation on the client side).

I found a way to pass on the "evidence" of the calling (strong-named) assembly in the message headers, but this method is clearly not secure because the "evidence" can easily be spoofed. Also, CAS (code access security) seems like a possible solution, but I can't seem to figure out how to make use of CAS in this particular scenario.

Does anyone have a suggestion on how to solve this issue?

Edit: I found another thread on this subject; apparently the conclusion there is that it is simply impossible to implement in a secure fashion.

© Stack Overflow or respective owner

Related posts about c#

Related posts about wcf