How to secure my WCF service without changing in client ?

Question

1.00/5 (1 vote)

See more:

Hello,

I have created on wcf service with basicHttpBinding. and i have used this service in more than 10 projects.
due to open metadata (<serviceMetadata httpGetEnabled="true" httpsGetEnabled="true"/>) my service is get hacked and somebody tried to access my service. so my all service metadata is stolen. right now i have disable metadata access. but still they can access my service and steal my data. how may i secure my service with out affecting my all other projects (without changing in clients). i dont want to give all other project's build.

i have a option to change all method's name but i need to change in all referenced project. but its a very difficult task.

Please advice.

Thanks in advance
.

What I have tried:

i have a option to change all method's name but i need to change in all referenced project. but its a very difficult task.

Posted 9-Apr-16 0:20am

PKriyshnA

Updated 9-Apr-16 21:24pm

Add a Solution

1 solution

Add a Solution

Add your solution here

Treat my content as plain text, not as HTML

Preview 0

…

Existing Members

Sign in to your account

...or Join us

Download, Vote, Comment, Publish.

Your Email
Password
Forgot your password?

Your Email
This email is in use. Do you need your password?
Optional Password

I have read and agree to the Terms of Service and Privacy Policy
Please subscribe me to the CodeProject newsletters

When answering a question please:

Read the question carefully.
Understand that English isn't everyone's first language so be lenient of bad spelling and grammar.
If a question is poorly phrased then either ask for clarification, ignore it, or edit the question and fix the problem. Insults are not welcome.
Don't tell someone to read the manual. Chances are they have and don't get it. Provide an answer or move on to the next question.

Let's work to help developers, not make them feel stupid.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

Sergey Alexandrovich Kryukov · Answer 1 · 2016-04-09T21:24:00

On the general level this request is generated, it perfectly reduced to the following:

But I was thinking of a plan
To dye one's whiskers green,
And always use so large a fan
That it could not be seen.

Lewis Carroll, The White Knight's Song

The idea to "change name" makes no sense at all. At best, this is what's called Security through obscurity.

As to "a very difficult task", sorry, this is nonsense: Visual Studio changes names on whole solution in no time through its refactoring engine. However, if you have to support already deployed client units, you have to support old name. Then change of the name (not introduction of new name) is not "a difficult task", it's just not a solution. But this is not a solution anyway.

All you need is to follow some simple logic: if you want to trust one client some data, you provide it. I have no idea why you consider your service "hacked". If some downloaded a lot of your data, this is what it is; it happens because you allow to do so. I cannot see any signs of "hacking", unless you provide some convincing evidence.

What to do? The answer is pretty simple: it's fully defined by the required functionality of your service. You have to expose what is needed for this functionality, and nothing else. All talking of "security" is simply irrelevant.

A separate decision is: you either use user authentication or not. If you do, the users having access to the system have to register; other users have no access to anything sensitive.

—SA