How are RESTful WCF services secured so that only the calling application can call them?

I have an application that uses Silverlight and ASP.NET as a front-end. It retrieves data from the server by calling some RESTful WCF services that are ho开发者_JS百科sted there. I'd like to prevent the curious user from opening up a new browser window and calling the web service themselves. Is there a way to restrict access to the web services to a specific application?

Thanks!

You can use HTTPS to secure the endpoint and require authentication. You can put an obnoxiously long secret key embedded in the code. Unfortunately, System.Security.Cryptography is not in the SL install, so no encrypt on server/decrypt on client capabilities. And there's no reason the user couldn't just use something like reflector to read the code anyway.

SL can be made "mostly securish", but definitely not secure.

If you're truly interested in securing your web services, you should think about migrating from RESTful services to SOAP Based Web Services and implementing the WS-Security standard for Message based Encryption.

You can then secure your services so only clients that have the proper security information (be in username/password or X.509 certs) can call your web services.

Update

As you can see...I've removed X.509 as an option. I blanked for a moment and forgot the WS-Security limitations in Silverlight. The good news is that you can implement username tokens based on the WS-Security standard in Silverlight:

Implementing Username Password & WS-Security with Silverlight

Here's the guide of the Patterns & Practices team for WCF Security. There's a lot to be found there.

http://www.codeplex.com/WCFSecurityGuide

No there's not.