I have a ASP MVC website that is using wcf service via ajax in JSON encoding. Is there any build in way to use anti forgery token with ajax <--> wcf service?
Here is how it's used in asp mvc apps. http://weblogs.asp.net/dixin/archive/2010/05/22/anti-forgery-request-recipes-for-asp-net-mvc-and-ajax.aspx
Anti Forgery Token I'm sure your aware is available by default in the MVC framework , you are using Ajax to WCF which really doesn't have anything to do with MVC except for concept your outlining.
You’re going done a long road to provide a security Ajax call via a MVC view to a WCF service.
First you'll need to use a Ajax Anti Forgery token implementation, please see below for links. You'll also need a database to manage your WCF tokens with an expiration date.
You'll need on load to dump out the WCF token and on every WCF request pass the token. the token will validated against the database. If the token has expired you'll need do another Ajax request with the AJAX Anti Forgery token to generate a new WCF token return the token and use this in your WCF Ajax request.
In conclusion you'll have two token one to validate your Ajax requests to your MVC controllers and the other for WCF requests.This approach will provide you with a secure request model to decrease the chance of a CSRF.
more about CSRF: http://www.troyhunt.com/2010/11/owasp-top-10-for-net-developers-part-5.html
MVC Ajax anit Forgery token: http://blog.stevensanderson.com/2008/09/01/prevent-cross-site-request-forgery-csrf-using-aspnet-mvcs-antiforgerytoken-helper/
Hopefully this helps.