What is the best way to secure a webservice?

Question

Hi,

As the title allready explains I want to secure my webservice. I've read that you can do this using an soap authentication header, but then the username en password are passed as plain text.

I was wondering what I should do to secure my webservice? Examples would be great.

I have an example of a company we work with that has 2 webservices. One to do the security and one to get the needed data but I don't have their side of the code the system looks great though:

bool loginSuccessFull = false;

/// knooppunt
string loginID = ConfigurationManager.AppSettings["WebServiceLogin"];
string password = ConfigurationManager.AppSettings["WebServicePass"];


//A. The m_SecurityService object is created and initialised
Security securityService = new Security();
securityService.CookieContainer = new System.Net.CookieContainer();


string challenge = securityService.InitializeLogin(loginID);
string pwd = password;
string response = pwd + challenge;


System.Security.Cryptography.SHA1CryptoServiceProvider SHA1 = new System.Security.Cryptography.SHA1CryptoServiceProvider();
SHA1.Initialize();
byte[] hash = SHA1.ComputeHash(System.Text.Encoding.Default.GetBytes(response));

System.Text.StringBuilder builder = new System.Text.StringBuilder();
foreach (byte b in hash)
    builder.Append(b.ToString("x2"));

//2. A login is done with the m_SecurityService object
if (securityService.Login(builder.ToString()))
{
    string ssoToken = Request.QueryString["SSOTOKEN"];
    string ssoID = Request.QueryString["SSOID"];
    if (!String.IsNullOrEmpty(ssoToken) && !String.IsNullOrEmpty(ssoID))
    {
        // Check with webserice if the token is valid.
        Knooppunt.SSO.GenericSSO sso = new Knooppunt.SSO.GenericSSO();
        sso.CookieContainer = securityService.CookieContainer;
        try
        {
            if (sso.validateSSOToken(Convert.ToInt32(ssoID), ssoToken))
            {
                loginSuccessFull = true;
                FormsAuthentication.RedirectFromLoginPage("default user", false);
            }
        }
        catch
        { }
    }
}

Answer 1

If it truly is a webservice, you should be using Windows Communication Foundation to generate the proxy and make the call. It makes a lot of this code much, much easier.

Honestly, it looks like the package that is used to connect to the web service that you are using (SSO?) is pretty non-standard, and does nothing more than derive from HttpWebRequest, which is VERY low-level, and too complex to use.

If you are going to secure your own web service (and you are exposing it over an HTTP channel), the easiest way is to get a digital certificate for your host and then use basic HTTP authentication over HTTPS.

You could also use other aspects of the WS-Security specifications (e.g. encoding the message, etc, etc) to secure your service.

Note that WCF supports all of these options, so you don't have to do any of this coding out of the box, and you can host it in IIS as well.

A good beginners reference to WCF is Michelle Bustamante's "Learning WCF: A Hands-On Guide".

After that, for more advanced WCF content (especially if you want to learn about concepts revolving around security in WCF and WS-* in general) I highly recommend "Programming WCF Services" by Juval Lowy.