tags:

views:

160

answers:

3
+1  Q: 

ASP.NET Web Service Security

I've built ASP.NET Web Services in the past that either were publicly consumed, or used Windows Authentication. I now need to build a Web Service that uses the SOAP 1.1 protocol and it needs to be secured with a username and password from the caller.

It seems setting up the infrastructure for WCP is overkill for one or two Web Services. Any other suggestions? I was also thinking of using ASP.NET 4.0 Beta, if anyone has explored that for this scenario, it would be helpful to know your opinion.

Thanks in advance for your suggestions.

+4  A: 

The simple way is to create a special header that carries the auth info for every call and authenticate/authorize the user that way

Here's some sample code: http://aspalliance.com/805_Soap_Headers_Authentication_in_Web_Services

Note that in this way you are sending clear text username and password so you would want to use ssl or use some kind of digest authentication

Jaime  2009-07-28 20:52:29
If the consuming client uses a library, such as PHP SOAP, will they be able to write to the header easily through the library?
Josh  2009-07-28 20:58:40
I haven't done it in PHP but I think as long as the library supports custom headers, there shouldn't be a problem
Jaime  2009-07-28 21:09:03
A: 

There are different ways of doing this. One could be enabling access to a specific sets of IPs. If the IP doesn't match one of the lists then you could easy reject the call at method's level.

Otherwise, you could create another method that would return a token and then make all the relevant methods to expect that token in return in order to process the request.

ntze  2009-10-15 18:00:04
A: 

Use SSL. Force everyone who consumes your webservice to use https.

        //Check for Secure Channel: HTTPS
        if (!Context.Request.IsSecureConnection) 
            return "The HTTP Connection must use Secure Sockets (HTTPS)";
jinsungy  2009-10-15 18:10:29

related questions

Displaying Version Information in a Web Service
Example Web Service
SoapException: Root element is missing occurs when .NET web service called from Flex
Best practice for webservices
What is your preferred method of sending complex data over a web service?
.Net - Returning DataTables in WCF
Is it possible to return objects from a WebService?
How much extra overhead is generated when sending a file over a web service as a byte array?
Returning Large Results Via a Webservice
File Uploads via Web Services
best way to persist data in .NET Web Service
What is the difference between an endpoint, a service, and a port when working with webservices?
Calling REST web services from a classic asp page
Best way to write a RESTful service "client" in .Net?
Where can I find some good WS-Security introductions and tutorials?
ASP.NET Web Service Results, Proxy Classes and Type Conversion
Web Services -- WCF vs. Standard
C# WCF Service - Backward compatibility issue
Document or RPC based web services
How to easily consume a web service from PHP
Timer-based event triggers
How to pass enumerated values to a web service
Homegrown consumption of web services
How do I print an HTML document from a web service?
How do I fill a DataSet or a DataTable from a LINQ query resultset ?