What is the simplest effective approach for securing a WCF Web Service built to be a combined DAL/BLL consumed ONLY by a single small ASP.NET web app?
Background:
I am relatively a web development noob, especially when it comes to security.
Current DAL exists as a library in both the web app and an asmx web service, completely home-brewed in VS2003. The authentication/token generation method is called via the web service, but everything else is called directly from the web app. Our DBA is concerned that this is insecure and wants all database access to occur in a web service as well (I'm not in much of a position to question whether this concern/solution is valid in the first place, but if anyone can elaborate on why it is or isn't please do).
I am armed with VS2012 and this is my task. My research has steered me to WCF, and I've already created a test web service, and a test web app that successfully consumes it.
I would suggest discovering the difference between Type-Sharing and DataContract sharing.
But the quickest path is:
Use the NetDataContractSerializer for your DotNet objects that are coming "across the wire". This is the "Type Sharing" serializer. But it will only work when your client is only DotNet (which seems to be your case).
What I would do?
Once that is done.......you'll have "raw" WCF working. Then you can apply your wcf security through configuration.
Here is a good walk through using certificate based security.