 |
 | Home | Contact Us | FAQ | Search & Site Map | Link to Us |
 | Sign In | Join | Other 45 Sites in Network |
.NET Forum / ASP.NET / Web Services / April 2006Possible flaw in WSE 3.0?
Hi there I've just stumbed upon something and would like to hear that i've forgotten to do something. I've created a secure webservice using UsernameTokenOverTransportAssertion. I'm using a customUsernameTokenManager to authenticate the token as well. All is well and fine and i can consume the webservice securely via my client, and if i don't use the proper token it rejects me. However if i simply browse to the asmx file i can see my methods and even invoke some of them. Is this a hole in the security? What's happening here? And what happens if someone simply creates a reference to my webservice and only uses the standard webservice and not the WSE suffixed one? Any answers would be greatly appreciated! Thanks Damian Hi Damian, You have to disable some protocols for the web service, <system.web> <webServices> <!-- uncomment for production use --> <protocols> <remove name="HttpGet"/> <remove name="HttpPost"/> <remove name="Documentation"/> </protocols> </webServices> </system.web> More information about this on the Julie Lerman blog, http://www.thedatafarm.com/blog/PermaLink.aspx?guid=a564b67f-6162-460a-a8ee-44b9 167938e0 Regards, Pablo Cibraro http://weblogs.asp.net/cibrax > Hi there > [quoted text clipped - 16 lines] > Thanks > Damian Free MagazinesGet these publications absolutely FREE for up to 12 months. There are no hidden fees and no obligation. Simply choose a title, complete the application form and submit it. Read more ...
|
Reply to this Message
|
 Sign In
 Join
 My Latest Posts My Monitored Threads My Blog My Photo Gallery My Profile My Homepage Start New Thread Enable EMail Alerts Rate this Thread
|
©2008 Advenet LLC Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.