 |
 | Home | Contact Us | FAQ | Search & Site Map | Link to Us |
 | Sign In | Join | Other 45 Sites in Network |
.NET Forum / ASP.NET / Web Services / June 2005How do you secure a web service?
I have a Windows Forms application that connects to a WebService. All the method calls have authentication in the SOAP header. Right now the username and password are being sent unencrypted, which is not good. I was thinking of using SSL, but am slightly concerned about performance. The data being passed is not particularly sensitive, we just do not want unauthorized users accessing the web service. For this scenario, what is the best method of securing the web service? SSL? Encrypt the username/password? Other. Thanks. David > For this scenario, what is the best method of securing the web service? > SSL? Encrypt the username/password? Other. SSL is the easiest. Unless you are sending large amounts of data, or high volumes you wont notice any difference and its very easy to implement. -- Chad Z. Hower (a.k.a. Kudzu) - http://www.hower.org/Kudzu/ "Programming is an art form that fights back" Blog: http://blogs.atozed.com/kudzu Chad, This will be low volume. I will be sending up to 2 meg of data to the web service. Does that sound like a reasonable amount for ssl? Thanks. David >> For this scenario, what is the best method of securing the web service? >> SSL? Encrypt the username/password? Other. [quoted text clipped - 7 lines] > > Blog: http://blogs.atozed.com/kudzu "aualias" <aualias@newsgroups.nospam> wrote in news:O5Epb0lVFHA.1452 @TK2MSFTNGP14.phx.gbl: > This will be low volume. I will be sending up to 2 meg of data to the > service. Does that sound like a reasonable amount for ssl? SSL will break it into chunks, so it will be fine especially for low volume. We run one of our major web services on SSL without any troubles. -- Chad Z. Hower (a.k.a. Kudzu) - http://www.hower.org/Kudzu/ "Programming is an art form that fights back" Blog: http://blogs.atozed.com/kudzu SSL is not the way. You should adopt WSE 2.0, which allows you to maintain usrs in a UserNameToken. You could also use ASP.Net's authentication schemes as XML Web services are part of ASP.Net only. with regards, J.V. > "aualias" <aualias@newsgroups.nospam> wrote in news:O5Epb0lVFHA.1452 > @TK2MSFTNGP14.phx.gbl: [quoted text clipped - 9 lines] > > Blog: http://blogs.atozed.com/kudzu "=?Utf-8?B?UmF2aWNoYW5kcmFuIEouVi4=?=" <RavichandranJV@discussions.microsoft.com> wrote in news:5DBA74F1-9196-45A8-B47D-B49E606F26EC@microsoft.com: > SSL is not the way. You should adopt WSE 2.0, which allows you to > maintain usrs in a UserNameToken. You could also use ASP.Net's > authentication schemes as XML Web services are part of ASP.Net only. Many of ASP.NET's authentication schemse are .NET specific, or Windows specific. This defeats a primary requirement for many deployments. The user also asked for an easy way and his volumes are very low. SSL can be implemented simply by installing certs on the server, and changing the URL. Your recommendation will require him to do a *lot* more than what SSL will require, and also he'll have to watch out and make sure what he does will work with clients that are non windows, or are non .NET. SSL also encrypts his data, but admittedly he said he didnt care about that. In our case, we need data encyption as well. -- Chad Z. Hower (a.k.a. Kudzu) - http://www.hower.org/Kudzu/ "Programming is an art form that fights back" Blog: http://blogs.atozed.com/kudzu Thanks for the responses. It seems that SSL would be the easiest to implement. If that does not work satisfactorily I can move on to WSE 2.0. This will be used in a Windows environment, so that is a viable option. David > "=?Utf-8?B?UmF2aWNoYW5kcmFuIEouVi4=?=" > <RavichandranJV@discussions.microsoft.com> wrote in [quoted text clipped - 24 lines] > > Blog: http://blogs.atozed.com/kudzu "aualias" <aualias@newsgroups.nospam> wrote in news:uWccLevVFHA.132 @TK2MSFTNGP14.phx.gbl: > Thanks for the responses. It seems that SSL would be the easiest to > implement. If that does not work satisfactorily I can move on to WSE 2.0. > This will be used in a Windows environment, so that is a viable option. WSE is a "more" precise solution, but will require a lot more of your time and since you want it quick..... SSL does the job too. -- Chad Z. Hower (a.k.a. Kudzu) - http://www.hower.org/Kudzu/ "Programming is an art form that fights back" Blog: http://blogs.atozed.com/kudzu I figure that I should put my 2 cents in, since I seem to have started this thing... Chad is correct in assuming that this project will not be scaled up. It is for a small company and we made a fixed bid for the job (which happened to be much too low - my subtle hint "This looks like a lot more work than you think" was ignored...). So, getting it up and running as quick as possible is my goal. I do think that SSL should solve the problem adequately. That said, it appears that I certainly have to become familiar with WSE 2.0 for future development. I shall take a look at WSE 2.0 to see if I can implement it in a reasonable amount of time. I am eating quite a few hours already, so a few more to get me up to speed on WSE 2.0 may be a very good investment. Could anyone point me toward some basic WSE 2.0 examples, or a clear explanation of the concepts? Thanks. David > "aualias" <aualias@newsgroups.nospam> wrote in news:uWccLevVFHA.132 > @TK2MSFTNGP14.phx.gbl: [quoted text clipped - 11 lines] > > Blog: http://blogs.atozed.com/kudzu > Could anyone point me toward some basic WSE 2.0 examples, or a clear > explanation of the concepts? Just go to MSDN, and search, there is a lot there. -- Chad Z. Hower (a.k.a. Kudzu) - http://www.hower.org/Kudzu/ "Programming is an art form that fights back" Blog: http://blogs.atozed.com/kudzu Chad, I have looked there. What would really help is a general overview of security concepts as well as WSE 2.0. Something that would define the terms used and explain the concepts to someone who does not know much about security. Most likely, this would need to be a book, not an article on a narrow topic. Any recommendations? By the way, the more I look into this, the more I am thinking of SSL for this project. However, I am also realizing that I need to get up to speed on the whole security thing. Better to do it now than later... David >> Could anyone point me toward some basic WSE 2.0 examples, or a clear >> explanation of the concepts? [quoted text clipped - 6 lines] > > Blog: http://blogs.atozed.com/kudzu > terms used and explain the concepts to someone who does not know much > about security. Most likely, this would need to be a book, not an > article on a narrow topic. Any recommendations? MSDN. :) MSDN just search for WSE 2.0 and it iwll turn up a whitepaper on ie. > By the way, the more I look into this, the more I am thinking of SSL for > this project. However, I am also realizing that I need to get up to > speed on the whole security thing. Better to do it now than later... It just depends on your time and needs. If your project does not bear a huge load, and especially if time is short SSL is adequate and works well. You can always change it later with little effect, or just leave it SSL AND add WSE. We use our own custom SOAP header + SSL. But we need encryption anyways, so SSL is natural. -- Chad Z. Hower (a.k.a. Kudzu) - http://www.hower.org/Kudzu/ "Programming is an art form that fights back" Blog: http://blogs.atozed.com/kudzu Thanks Chad. I am going to use SSL. I have looked at MSDN, but not the white paper - I'll check that out. I even built a couple of the samples that came with WSE 2.0. The problem that I am having is not being familiar with the terminology and concepts. I have no doubt that I could cut and paste code and I could get things working, but I just cannot make myself do something like that without being very comfortable with the technology. As with most of these things, if I keep playing with it, at some point it will just sink in and I'll wonder how I could have been confused. David >> terms used and explain the concepts to someone who does not know much >> about security. Most likely, this would need to be a book, not an [quoted text clipped - 24 lines] > > Blog: http://blogs.atozed.com/kudzu Chad, My apologies for being so dense... I finally took a serious look at MSDN. I had followed Google links there for specific items, but I did not bother to look through the table of contents. Appears that everything I need is there. David >> terms used and explain the concepts to someone who does not know much >> about security. Most likely, this would need to be a book, not an [quoted text clipped - 24 lines] > > Blog: http://blogs.atozed.com/kudzu FWIW, I would go with WSE 2.0 also. Gives you a lot of token security options and encryption options and signatures, etc. -- William Stacey > Thanks for the responses. It seems that SSL would be the easiest to > implement. If that does not work satisfactorily I can move on to WSE 2.0. [quoted text clipped - 31 lines] >> >> Blog: http://blogs.atozed.com/kudzu > FWIW, I would go with WSE 2.0 also. Gives you a lot of token security > options and encryption options and signatures, etc. Yes it does. In fact WSE is fantastic. But you guys are missing one critical point - the users requirements. He wants simple - and does not have scalabiltiy issues. He doesnt really care if WSE is fantastic - he has a simple (probably in house) app of low volume, and has development time constraints. WSE requires changes and implementation, SSL is a simple toggle and gets the job done. The "side effects" of SSL this user has already said he doesnt care about, or feels are a good trade off for expediency. The major difference between WSE and SSL is WSE secures the message, SSL secures the connection that SOAP happens to run on. But this user wants fast - SSL is a lot faster and simpler to implement and once its implemented, its a 2 second toggle to make any webservice use it. SSL has the drawbacks that it potentially can use more CPU in high loads (But so will WSE if you use the encryption), and that it wont help if you are not using point to point. But 90%+ of SOAP is point to point. I'd recommend C# to any new .NET developer too - but I realize that someone who has been using VB for 10 years is going to get up to speed faster in VB.NET. -- Chad Z. Hower (a.k.a. Kudzu) - http://www.hower.org/Kudzu/ "Programming is an art form that fights back" Blog: http://blogs.atozed.com/kudzu > Yes it does. In fact WSE is fantastic. But you guys are missing one > critical > point - the users requirements. He wants simple - and does not have > scalabiltiy issues. He doesnt really care if WSE is fantastic - he has a > simple (probably in house) app of low volume, and has development time > constraints. I think your reading more into the question then what was there. The only time I saw a ref to "easy" was in his last thread that said "It seems that SSL would be the easiest to implement." Moreover, easy is relative. Easy for a socket guy may be to use winsock. For me, WSE is easier for development because I can use http or TCP and don't have to setup IIS if I don't want. I can host WSE service in IIS/HTTP or TCP in my own EXE, or as a service. That is easy for me as I can more directly reason about what is going on and is simple to have two projects - one client and one server and start and debug them as needed on my laptop without IIS. I can also decide which methods require security and what parts (if any) of the message is encrypted or signed. Moreover, I can change my token logic to verify against a DB or Windows accounts within a small override method which gives me more options. Also, what is easy in the very beginning of the project may get very difficult if I have to change directions to WSE anyway because of something I did not think about in the beginning. Also with WSE, I could use SCTs and still get RSA security without needing to deal with certs. So I see your point, but there is a lot more that goes into what is easy, IMO, then just what is fastest at the very moment to see something working. If the app will grow beyond very simple (i.e. few methods) and will be long lived, then I might also concider other options like WSE and weigh the pros/cons. Naturally, everyone will have his/her own opinions - which is good and welcome.  SignatureWilliam Stacey [MVP] > I have a Windows Forms application that connects to a WebService. All the > method calls have authentication in the SOAP header. Right now the username [quoted text clipped - 9 lines] > > David You could probably just MD5 hash the password. We have a web service talking to FlashOrb and this works for us. We use a session ID and the user's password for generating the hash. Because sessions are of a finite length and are unique the hashed password is only valid for that particular session. Don't use SSL to encrypt the whole envelope as this requires overhead when encrypting and decrypting. Free MagazinesGet these publications absolutely FREE for up to 12 months. There are no hidden fees and no obligation. Simply choose a title, complete the application form and submit it. Read more ...
|
Reply to this Message
|
 Sign In
 Join
 My Latest Posts My Monitored Threads My Blog My Photo Gallery My Profile My Homepage Start New Thread Enable EMail Alerts Rate this Thread
|
©2008 Advenet LLC Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.