 |
 | Home | Contact Us | FAQ | Search & Site Map | Link to Us |
 | Sign In | Join | Other 45 Sites in Network |
.NET Forum / ASP.NET / Web Services / October 2004Securing web service
Hi How can I make sure that no one else can call and receive data from my web methods? Thanks Regards Turn the server off. > Hi > [quoted text clipped - 4 lines] > > Regards That was a nice joke. LOL. Well, I assume that you don't want to give access to your webservice to the unauthorized users. 1.Use sessions in your web methods in application layer 2.Use SSL in transport layer More can be found under http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/html/S ecNetch10.asp http://msdn.microsoft.com/library/default.asp?url=/library/en-us/cpguide/html/cp conUsingSOAPHeaders.asp Regards, R.Balaji > Turn the server off. > [quoted text clipped - 6 lines] > > > > Regards You could only send the wsdl defining your service to the people who are entitled to use it, i.e. Don't publish the WSDL which would include endpoint details etc. Additionally you could look at implementing WS-Security frim MS. This would validate any user who tried to use your service. The implementation is very straightforward.. Search for "WS-Security Authentication and Digital Signatures with Web Services Enhancements" in msdn. > Hi > [quoted text clipped - 4 lines] > > Regards I've always put a username / password params in each of my web methods. I then validate the user on each method call, and THEN do the real work of the web method. You can authenticate that username / password against a hardcoded value, a database value, or a web.config value. Michael > Hi > [quoted text clipped - 4 lines] > > Regards Your username/password can be viewed by attacker, if your transport is HTTP. Then he can do something else after obtain username/password. He can also changed the request message with know what's the meaning of original message, withoud detected by your web service. Best way is to go with SSL using client certificate as security token, to encrypt and sign message. search WSE in MSDN. > I've always put a username / password params in each of my web methods. I > then validate the user on each method call, and THEN do the real work of the [quoted text clipped - 13 lines] > > > > Regards > How can I make sure that no one else can call and receive data > from my web methods? Rather than hardcoding security logic into your applications (as described in separate answers in this thread) you can use a separate SOAP Firewall that allows you to - integrate security transparently (i.e. without modifying application code) even in multi-vendor deployments - manage your security policies centrally, using a professional admin console GUI You may want to take a look at Xtradyne's WS-DBC (Domain Boundary Controller), which delivers comprehensive security and enterprise- grade performance. See http://www.xtradyne.com for more info. Regards, Gerald.  SignatureDr. Gerald Brose mailto:brose@xtradyne.com Xtradyne Technologies http://www.xtradyne.com Schoenhauser Allee 6-7, Phone: +49-30-440 306-27 D-10119 Berlin, Germany Fax : +49-30-440 306-78 Free MagazinesGet these publications absolutely FREE for up to 12 months. There are no hidden fees and no obligation. Simply choose a title, complete the application form and submit it. Read more ...
|
Reply to this Message
|
 Sign In
 Join
 My Latest Posts My Monitored Threads My Blog My Photo Gallery My Profile My Homepage Start New Thread Enable EMail Alerts Rate this Thread
|
©2008 Advenet LLC Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.