tags:

views:

100

answers:

6
+5  Q: 

Protecting Web Services

I've got a WebService project that we've created to expose some methods to our clients (specifically if they call one of the methods it will trigger an event on our servers) that they can call in their own C# projects (some clients will be doing web form apps and some will be doing it on their internal site).

Due to the nature of the method, one of the parameters is a string which identifies who the client is (so we can trigger the appropriate event) and I'm not overly confident this is enough to prevent people from sending random data until they stumble upon one of the valid identifiers.

What is the standard way of protecting something like this from abuse? Most of the tutorials I find don't seem to mention anything about keeping them secure. Thanks!

+1  A: 
Daniel Vassallo  2009-12-17 20:30:39
+1  A: 
  1. Using a username and password should be good.
  2. If you know the clients IP address of the machines that will call webservice, restrict the URL to only to the known IPs.
Harun Prasad  2009-12-17 20:34:00
A: 

Authentication is usually handled using SOAP headers, see this MSDN page.

This codeguru article gives an example although it's quite old.

Marc  2009-12-17 20:35:22
A: 

as part of the protocol you may send a random number to the client. The client then salts the Identifier with that random number and Hashes the combined value. You may return that combined value back to the server.

Server then computes the same ID+Number hash and verifies the two values.

kevin  2009-12-17 20:36:56
A: 

This is efectively a password... except wait no its a user name and password in one field.

There is no technical reason per se why you shouldn't combine a username and password into one field but by convention oin the absence of additional secret keys they are two fields.

This is for three business reasons:

  • The account identity can be discussed unambiguously between people that should know the user identity (user name?!) but not possess the password

  • It is easiest in law to prove unauthorised access, should this ever be necessary, if the access protocol is conventional because then case law is more likely to apply and the situation is more likely to be clear cut (and to lead to smaller legal bills!). Not having a user name on a public network for a commercial system is not unheard of and in some systems is a good idea (but generally it just plain isn't... a good idea).

  • Guidelines on best practice in security generally and specific processes assume you use a user name and password rather than a combined field where possible. It may make it harder to formulate consensus policies down the line.

The password (or the password portion if you go with a combined username/password string) will be subject to all the usual recommendations on security regarding change policy, non-disclosure, complexity and length. I suggest you use SSL and WS-Security as well, to be as conventional in the security area as possible. You probably need encryption on the wire.

EDIT

I meant to write TLS not SSL.

EDIT

Sorry no I meant either TLS or WS-Security.

martinr  2009-12-17 20:42:40
+2  A: 

Daniel Vassallo is correct. You will want to use a X509 certificate to verify that the person calling the service is legitimate. However this does raise the complexity of the solution a lot. You will want to use Microsoft WSE and likely a purchased 3rd party component.

Without that, you can use a user name and password passed in. However, there would need to be some shared algorithm to hash the information based on date, time, etc.. without the hash, you open yourself up to a hack much more than not. Even with SSL, as a dictionary attack could eventually break in.

Clarence Klopfstein  2009-12-17 20:48:59
.NET 3.0 onwards abandon WSE for the built in bits. And you wouldn't really need a 3rd party component. What you would need is a certificate validation mechanism, or your own cert server with which to issue certs.
blowdart  2009-12-17 21:04:51

related questions

Displaying Flash content in a C# WinForms application
How to get the value of built, encoded ViewState?
Unhandled Exception Handler in .NET 1.1
How do I connect to a database and loop over a recordset in C#?
How do I most elegantly express left join with aggregate SQL as LINQ query
Get a new object instance from a Type in C#
.NET Testing Framework Advice
Automatically update version number
What is the difference between an int and an Integer in Java/C#?
How to write to Web.Config in Medium Trust ?
WinForms ComboBox data binding gotcha
How do you sort a C# dictionary by value?
Adding Scripting functionality to .NET applications
Floating Point Number parsing: Is there a Catch All algorithm?
How do I print an HTML document from a web service?
Decoding T-SQL CAST in C#/VB.net
Anatomy of a "Memory Leak"
How do I get a distinct, ordered list of names from a DataTable using Linq
Reliable Timer in a Console Application
How do I fill a DataSet or a DataTable from a LINQ query resultset ?
What's the difference between Math.Floor() and Math.Truncate() in .NET?
How do I calculate relative time?
How do I calculate someone's age in C#?
Are there any conversion tools for porting Visual J# code to C#?
When setting a form's opacity should I use a decimal or double?