tags:

views:

135

answers:

4
Q: 

Secure my web services

I have some web services.

They are used by a silverlight application and on their own by other apps.

What is the best way to secure these so that hackers cannot access them directly?

Currently they are blocked to localhost only then the silverlight application calls the web application and the web application calls the web services itself.

I hate this solution because it adds another layer and there is a performance hit.

Do not want to change the web service code if at all possible.

+1  A: 

Have you tried simply changing the configuration of the service and client to use basicHttpBinding with SSL?

I don't know enough about SilverLight to know if it supports wsHttpBinding, but you might try that as well.

John Saunders  2009-06-17 13:38:27
Will this stop the hacker from calling the web service directly or will this just secure the transport?
zachary  2009-06-17 17:04:13
No, just secure the transport.
Alexander K.  2009-06-17 23:03:57
Unfortunately, Silverlight 2 doesn't support wsHttpBinding. Only build-in ASP.Net mechanisms can be used.
Alexander K.  2009-06-17 23:16:24
A: 
  • IIS can be configured to only allow connections from specific IP Addresses. I'd configure your webservices this way first.
  • Also, if you're using WCF you can use https and certificates to manage security right in the WCF endpoint configuration tool

I would use one or both of these methods myself.

John Weldon  2009-06-17 13:39:40
asp.net web service also can use https.
Syed Tayyab Ali  2009-06-17 13:41:03
I am currently allowing connections to only certain IPs. I was hoping there was a better way. The problem here is that silverlight is on the clients machine so I have to have silverlight make a web service call to the web server app then have the web server app make a second call. This doubles web service calls and causes a performance hit that I was hoping to avoid.
zachary  2009-06-19 14:02:05
A: 

If you are using ASP.NET and WCF, you can use the built in ASP.NET authentication and put the ASP.NET authentication required tag on your webservices. There is a great screencast about it here.

Correl  2009-06-17 14:11:30
A: 

Here's my favorite reference on the subject.

http://timheuer.com/blog/archive/2008/10/14/calling-secure-services-with-silverlight-2-ssl-https.aspx

In short, use basicHttpBinding (or customBinding in Silverlight 3) with https. Works like a charm combined with ASP.NET Application Services. Here's a good overview of Silverlight http security:

http://msdn.microsoft.com/en-us/library/cc838250(VS.95).aspx

James Cadd  2009-06-17 14:23:31

related questions

Displaying Version Information in a Web Service
Example Web Service
SoapException: Root element is missing occurs when .NET web service called from Flex
Best practice for webservices
What is your preferred method of sending complex data over a web service?
.Net - Returning DataTables in WCF
Is it possible to return objects from a WebService?
How much extra overhead is generated when sending a file over a web service as a byte array?
Returning Large Results Via a Webservice
File Uploads via Web Services
best way to persist data in .NET Web Service
What is the difference between an endpoint, a service, and a port when working with webservices?
Calling REST web services from a classic asp page
Best way to write a RESTful service "client" in .Net?
Where can I find some good WS-Security introductions and tutorials?
ASP.NET Web Service Results, Proxy Classes and Type Conversion
Web Services -- WCF vs. Standard
C# WCF Service - Backward compatibility issue
Document or RPC based web services
How to easily consume a web service from PHP
Timer-based event triggers
How to pass enumerated values to a web service
Homegrown consumption of web services
How do I print an HTML document from a web service?
How do I fill a DataSet or a DataTable from a LINQ query resultset ?