tags:

views:

154

answers:

5
+4  Q: 

What is the safest way to implement Web Services / API?

I have a web site with users and their data accordingly.

What is the safest way to implement web services / API such that users' login credentials and in turn data are secure? oAuth isn't really an option, because usage will not necessarily be in other web apps.

My concern is that having the username and password as an input is dangerous to be transmitted plainly, and a token could also be stolen and reused maliciously.

Do I need to come up with my own method of encrypting and decrypting data, or is there a common practice(s) already in use?

The whole point is that it's as open as possible for anyone in the world to use, but safe by definition nonetheless. Documentation will be available to everyone to use.

+2  A: 

What about using an SSL connection?

Kevin  2009-06-23 13:58:46
+3  A: 

Don't write your own encryption.

What is wrong with a bit of SSL? With "regular" WSDL/SOAP clients (asmx), it isn't uncommon yo use a SOAP header for this (over SSL).

With WCF, this is formalised into TransportWithMessageCredential (just search). Of course, you could use certificates, federation, kerberos, etc...

In addition to transport security (SSL), WCF also supports message-based security - with the added feature that you can encrypt just the security headers. Personally, I like to keep it simple, with TransportWithMessageCredential (i.e. SSL).

Marc Gravell  2009-06-23 13:59:23
+4  A: 

There's always the WS-Security standard:

WS-Security (Wikipedia)

.NET has its implementations in .NET 1.1 and .NET 2.0 via the Microsoft Web Service Enhancements:

WSE 2.0 (.NET 1.1)
WSE 3.0 (.NET 2.0)

It provides various methods on encrypting the SOAP Envelope before it is sent over the wire, safely transmitting the data inside.

Justin Niessner  2009-06-23 13:59:36
you beat me to it... +1 ;-)
fretje  2009-06-23 14:03:48
A: 

Why don't you use the standard WS-Security for that?

Edit: Just want to add to Justin's answer, that it is also implemented in WCF.

fretje  2009-06-23 14:00:01
A: 

Any authentication method that's shared with a 3rd party is open to exploitation, you have to draw a line somewhere. Using HTTP/S and WS-* services to secure the connection is probably your best approach. If the service is only going to be accessed by known systems with fixed IP addresses then use firewalling to further secure your box from external interference.

Lazarus  2009-06-23 14:00:29
Open with documentation supporting it.
Theofanis Pantelides  2009-06-23 14:13:02

related questions

Displaying Flash content in a C# WinForms application
How to get the value of built, encoded ViewState?
Unhandled Exception Handler in .NET 1.1
How do I connect to a database and loop over a recordset in C#?
How do I most elegantly express left join with aggregate SQL as LINQ query
Get a new object instance from a Type in C#
.NET Testing Framework Advice
Automatically update version number
What is the difference between an int and an Integer in Java/C#?
How to write to Web.Config in Medium Trust ?
WinForms ComboBox data binding gotcha
How do you sort a C# dictionary by value?
Adding Scripting functionality to .NET applications
Floating Point Number parsing: Is there a Catch All algorithm?
How do I print an HTML document from a web service?
Decoding T-SQL CAST in C#/VB.net
Anatomy of a "Memory Leak"
How do I get a distinct, ordered list of names from a DataTable using Linq
Reliable Timer in a Console Application
How do I fill a DataSet or a DataTable from a LINQ query resultset ?
What's the difference between Math.Floor() and Math.Truncate() in .NET?
How do I calculate relative time?
How do I calculate someone's age in C#?
Are there any conversion tools for porting Visual J# code to C#?
When setting a form's opacity should I use a decimal or double?