We have a web service (WCF in C#) that has been used on an intranet until now. Going forward we want to open it up to the internet.
Obviously we are concerned that naughty people cannot access the interfaces. What is the best practise method of ensuring this in WCF? Is it WSS?
I'm presuming some kind of login interface and a returned token that the client must use with every call?
You have basically six options:
Windows accounts - great in intranet, not so great in internet scenarios (built-in, configure only)
User name/password against the ASP.NET membership system: you still need to keep a database of valid users; depending on what you want to do, this might work for you (built-in, configure only - you need to keep track of your user base)
Certificates on the client machines calling: only those machines that have the right certificates are allowed in; great for a closed user group, not so great in general internet facing scenarios (built-in, configure only)
Some kind of a required header - either checked against a database (e.g. "valid header tokens"), or just checked by e.g. calculating a checksum or something - anyone who knows your "secret" header will be able to call in (built-in, needs a little bit of coding to extract and check the header)
Some custom solution - you can define your own authentication/authorization scenario, and customize it to your liking; requires some code on your side - but gives you ultimate flexibility (your custom code all the way)
No checks - just leave it open to anyone (built-in, configure only)
WCF guru extraordinaire, Juval Lowy, has a great article in MSDN magazine: Declarative WCF Security - maybe this can give you a few additional hints and pointers. He basically defines five scenarios and discusses his recommended solution for each (and also bakes that stuff into a ready-made, attribute-based declarative framework)