Do I need security between my ASP.net application and WCF service?

Question

Do I need security between my ASP.net application and WCF service?

[I know this is quite subjective and depends on various considerations, so I just finish the ideas to understand what people think about this issue and what considerations they take ...]

We have an asp.net application open (requires username and password authentication), which in turn uses a set of WCF services in reverse order.

I am trying to decide what binding to use for these services, more specifically what security elements, if any, we should use.

all applications (web interface and all services) are on the same server farm behind a firewall, which blocks all access to services other than the web application. Under these conditions - would you say that it does not have any security features (and therefore has improved performance?)

For the sake of completeness, I would say that we expect to introduce some services at some point, but this will be done through a different endpoint with a different address, using highly secure elements including a federated id for authentication

0

wcf-security

Yossi dahan May 27 '09 at 8:53

a source to share

2 answers

You should also use your services to protect the username and password, for example with digest authentication, etc. The username and password that will be provided will be inside your application. Thus, you increase the level of security.

0

Samiksha May 27 '09 at 9:08

a source to share

Dead account · Accepted Answer · 2009-05-27T08:57:24+0000

Security is a wall. The more walls the better.

This is why we have secure database passwords that are internal but accessible from web applications, and why we encrypt sensitive data in those databases.

If security isn't going to be a big pain, add it.

Do I need security between my ASP.net application and WCF service?

More articles: