Securing WCF service using basicHttpBinding which supports streaming

Question

My question is in regards to the best (aka \"least painful\") way to secure access to a WCF service that is only exposed to our company\'s internal users. The goal is to ensure

Answer 1

Please correct me if I am wrong, but:

if you are using forms authentication for your WCf service (on asp.net), just add a login method to your service, in it you create the required cookie (formsAuthentication.Authenticate()). which is automatically sent with the response, the client can then call the stream API without needing extra parameters (a requirement for it to be STREAM) and you can check the identity in the streaming api before you fire off the returning stream.

As for securing access to the whole WCF, I get the feeling that embedding a certificate in the .net app is one way to go. they would have to ildump your app to get at it.

you can tell asp.net/wcf not to provide the wsdl, or more accurately, to not automatically generate the wsdl. Without wsdl access it gets much harder for them to generate a proxy....