Securing WCF service using basicHttpBinding which supports streaming

Question

My question is in regards to the best (aka \"least painful\") way to secure access to a WCF service that is only exposed to our company\'s internal users. The goal is to ensure

Answer 1

There's a number of things you could do:

• add a certificate to each and every machine that's allowed to use your service, and check for that certificate. That only allows you to exclude "unauthorized" machines - you cannot limit it to a specific application
• same as above, but include the certificate embedded in your winforms app and send it from there (do not store it in the machine's certificate store)
• require a username / password that only that particular app of yours knows about and can transmit to your service; e.g. someone else would not be able to present the appropriate credentials

EDIT 2: OK, so the username/password approach seems to get out of hand.... what if you just have basic transport security (SSL) for basic protection, and then use the MessageContract to define header and body of your SOAP message, include a specific value in the header, and then just check for that presence of the element in the header in your service?

Something like that:

[DataContract]
class YourRequestData
{
 ...
}

[MessageContract]
public class YourRequest
{
  [MessageBodyMember]
  public YourRequestData bodyData { get; set; }

  [MessageHeader]
  public string AppThumbprint { get; set; }
}

And then on your server in your code just check for the presence and the validity of that AppThumbprint code:

public Stream RequestStream(YourRequest request)
{
  if(AppThumbprintIsValid(request.AppThumbprint))
  {
     .... begin your streaming
  }
}

That might end up being a lot easier than the username/password security scenario.

Marc