 |
 | Home | Contact Us | FAQ | Search & Site Map | Link to Us |
 | Sign In | Join | Other 45 Sites in Network |
.NET Forum / ASP.NET / Web Services / August 2007Internal Web Service
Hi all ASP.Net v2.0 I'm developing a WS that will be utilised by 1 application. I don't want anyone to be able to use this web service except the application, how should I secure the service? Should I perhaps assign a Guid or something that the application could provide in order to "activate" the service? Thanks Kev > Hi all > [quoted text clipped - 6 lines] > Guid or something that the application could provide in order to > "activate" the service? What's wrong with authentication? Google is your friend where you can find more information. http://www.15seconds.com/issue/020312.htm >> Hi all >> [quoted text clipped - 8 lines] > > What's wrong with authentication? That would require our system admins knowing the user id and password, I need it to be more secure than that. Kev >>> Hi all >>> [quoted text clipped - 11 lines] > That would require our system admins knowing the user id and password, I > need it to be more secure than that. I don't see how that's possible, if you have a WS that you are writing, where you can pass a user-id and psw as parms, WS validates the ser-id/psw -- terminates if they are not valid and you have an application you are writing that can have the user-id and psw hard coded to pass to the WS. What's the differnce between that and passing a GUID, which I would think is more secure, because you have to pass two pieces of information for validation? Hi Kev, For your scenario, you can consider the following means: ** If you can give your only client application a dedicated windows account(domain account), you can utilize windows authentication at your server side. Just configure IIS to use integrated windows authentication and only allow that dedicated user account to access the webservice asmx file(by NTFS permission) **Also, if you use windows authenticaiton, you can manually use code to check the client authenticated user identity and determine to process or deny(throw exception) the request. ** As Arnold said, if you do not want to use windows built-in authentication, you can pass as custom username/password crendential(only that single client application has) in your webmethod's parameters and validate it. You may also consider encrypt this crendentials if your intranet environment's network transfer is not fully trusted. If you have any further questions or concerns on this, please feel free to post here. Sincerely, Steven Cheng Microsoft MSDN Online Support Lead This posting is provided "AS IS" with no warranties, and confers no rights. > Hi Kev, > [quoted text clipped - 18 lines] > If you have any further questions or concerns on this, please feel free to > post here. Ok, I guess if that's the best way then I'll do it. The request is coming from Apache running on Linux, so presumably they would have to explicitly pass the user id/password to the web-service, however, where can I store this user id and password so that it's safe? Thanks Kev Thanks for your reply Kev, For username/password pairs, do you mean store it at server-side and used for validate the credentials passed from webservice client? if so, I suggest you store it in a configure file or database and the configure file or database should be secured through file system or database level access control. Only your server application's running account or a certain group/role can access it. On windows OS, the NTFS permission is necessary. Sincerely, Steven Cheng Microsoft MSDN Online Support Lead This posting is provided "AS IS" with no warranties, and confers no rights. Hi Kev, Any further questions on this? If there is anything else we can help, please don't hesitate to post here. Sincerely, Steven Cheng Microsoft MSDN Online Support Lead This posting is provided "AS IS" with no warranties, and confers no rights. Hi Steven Well, we've come to the conlusion that we will probably setup a service account on our Windows Domain, the only thing I'm unsure about is, will the Linux server that will be accessing my service be able to impersonate that service account? Thanks Kev > Hi Kev, > [quoted text clipped - 40 lines] > > \par } Thanks for your followup Kev, As for the Linux servers, are they the client consumers of your internal ASP.NET webservice? If so, I think client consumer's OS type won't affect your server service's running identity, as long as your ASP.NET webservice is configured to run under a certain windows domain identity, it can access further remote resource through this identity's credential. Sincerely, Steven Cheng Microsoft MSDN Online Support Lead This posting is provided "AS IS" with no warranties, and confers no rights. Hi Kev, Still any questions or anything else need help? If so, please feel free to post here. Sincerely, Steven Cheng Microsoft MSDN Online Support Lead This posting is provided "AS IS" with no warranties, and confers no rights. > Hi Kev, > > Still any questions or anything else need help? If so, please feel > free to post here. Hi Steven Just one other question, I want the web service to be able to run under a service account, but I don't want it to be anonymous, so basically the client, whether on Linux or other, will need to provide those credentials in order to make use of the service as it's dealing with confidential data. Does that make sense? Thanks Kev Thanks for your followup Kev, For your new question, I think it depends on the authentication type and whether your non-windows client's webservice proxy support rich set of authentication options. Since you want to disable "anonymous" in IIS server for the webservice (correct?), that means the client-side webservice call(proxy) need to supply credentials for authentication, and IIS currently support following authenticaiton types: ** integrated windows(kerberos or NTLM) ** basic **digest So far I think only the "basic" authenticaiton will certainly work for non-windows client, however, since username/password credentials are sent through cleartext, so it is considered unsafe(without using https/ssl). What's your oponion here? Sincerely, Steven Cheng Microsoft MSDN Online Support Lead This posting is provided "AS IS" with no warranties, and confers no rights. Hi Kev, Any further question or concerns on this? If so, please feel free to let me know. Sincerely, Steven Cheng Microsoft MSDN Online Support Lead This posting is provided "AS IS" with no warranties, and confers no rights. >>>> Hi all >>>> [quoted text clipped - 21 lines] > is more secure, because you have to pass two pieces of information for > validation? Ok, I see your point, I was just wondering if it would be better to issue them with a certificate or something so that people couldn't potentially fire up the web service and access it with the user id and password. Kev
Free MagazinesGet these publications absolutely FREE for up to 12 months. There are no hidden fees and no obligation. Simply choose a title, complete the application form and submit it. Read more ...
|
Reply to this Message
|
 Sign In
 Join
 My Latest Posts My Monitored Threads My Blog My Photo Gallery My Profile My Homepage Start New Thread Enable EMail Alerts Rate this Thread
|
©2008 Advenet LLC Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.