Verifying caller/server in WCF

开发者_JS百科My scenario:

• Many WCF clients which are in environments outside of my control
• Server will either be mine OR in an environment outside of my control

So worst case the client and the server is outside of my control. More specifically, I might assume that someone hosting this code could try to maliciously impersonate either the server or the client (the server being more likely). However, the client needs to verify that the server is my code and the server needs to verify that the client is my code. I've seen all the recommendations to use certificates; however, is that an option given my scenario?

One approach I've considered is to write an IClientMessageInspector and an IDispatchMessageInspector to set and verify a custom SOAP header on both sides. I would create an HMAC signature based on a secret key contained within the source code (assume I have a way to keep this hidden) and then verify the digest based on the message body.

I feel like this would work; however, I feel like there might be something more out-of-the-box that I'm missing here. Am I close, way off track? Thanks for any guidance!

Certificates are definitely the way to go in your situation.

Your server will easily be authenticated by clients because it will provide a certificate known to each client, SSL is a good option here.

The server will also be able to authenticate clients by requesting that every client should provide a certificate (server can check for a specific issuer of the certificate - your own issuer in that case).

Now you just need to correctly manage/secure your certificate server to make sure that it won't be compromised.

I don't think there is anything out of the box to do this, simply because it is an unusual requirement for the server to verify that the code on the client calling the service is authorized code.

Generally, it is sufficient to establish trust as follows:

1. Server has a certificate and service uses SSL - this way clients are confident that they are connecting to the correct server machine.
2. Clients provide authentication details (eg username/password, certificate etc) to the server so the server knows the connecting client can be trusted.

You are attempting to go the extra step to verify that not only are the users/machines verified, but also that the code running is verified - this is simply overkill. If the code running is not verified, either:

1. One of the machines has been compromised, in which case you have bigger issues to worry about.
2. One of your users has written code against your service and is using it 'illegally'. This should not be a problem if your service only allows authorized users to perform 'dangerous' operations.