tags:

views:

33

answers:

3
Q: 

Securing Web Services

Hello, I am creating an API with a bunch of public methods to be published on the web and I need to secure them. In this case it is not about encryption but authentication.

The idea is that whoever is consuming the web services is a registered user on the DataBase so that we can keep outsiders out. I have being reading about API Keys but I don't know neither if they are the correct approach for my issue nor how to implement them.

So, question is: How do I keep unknown people from consuming the web services?

Notes: Logs are likely to be made to requests made by known users to keep track of what they do and terminate connections on suspicious activities. Also I'm using ASP.NET.

+1  A: 

ASP.net Web Service Extensions support client side certificate based authentication. The more up to date equivelent is WCF which also supports client certs.

Ben Robinson  2010-08-22 15:51:36
Both links point to the same URL. I've been googling and since WSE don't seem to be a good approach any more, and since I think it is not compatible with VS 2010 and ASP .NET 3.5 I'll go for WCF.
pedro_cesar  2010-09-22 03:09:52
I just read about WCF and I don't think that's the way to go either because my services are ready and, for what I read, WCF is a distinct approach to Web Services
pedro_cesar  2010-09-22 06:00:53
+1  A: 

API Keys are a good idea.

The idea is just that you assign each user a private key which they must provide (or, better yet, give proof of possession via a challenge-response) in order to make an API call.

Borealid  2010-08-22 15:51:44
A: 

Hello, I came back to explain how I ended up doing it.

First, I used a (custom implementation of a) per-application API Key, so for each application that would consume my web services I created and gave them a key. Such key has to be provided alongside some application data needed to regenerate the key and match against what was provided by the application.

Second, I used SoapHeader and a variation of this method in order to accomplish my goal. Basically, the key and app data come with the message as part of the header for each call to a method. So, the validation process happens every time an app calls on a public method.

I appreciate the answers that were given to me and the approached are really interesting, the reason why I decided to it this way was because the web services were already up and running and is .NET 3.5... so neither WCF nor ASP. WSE could provide me of the best and easier to implement solution.

Thanks.

pedro_cesar  2010-10-08 14:18:41

related questions

Is it better to create Model classes, or just stick with generic database utility class?
What are effective options for embedding video in an ASP.NET web site?
Visual Studio 2008 debugger already attached work-around
Tracking state using ASP.NET AJAX / ICallbackEventHandler
ASP.NET Display SVN Revision Number
ASP.NET URL Rewriting
How can I change the background of a masterpage from the code behind of a content page?
Easy way to AJAX WebControls
How do I define custom web.config sections with potential child elements and attributes for the properties?
ASP.NET MVC "CRUD" Database Sample
Are Multiple DataContext classes ever appropriate?
How to RedirectToAction in ASP.NET MVC without losing request data
Triple Quotes? How do I delimit a databound Javascript string parameter in ASP.NET?
ASP.NET built in user profile, Vs old stile user class/tables
What's a good book for learning ASP?
Bandwith throttling in IIS 6 by IP Address
ASP .Net Custom Client-Side Validation
How to get the value of built, encoded ViewState?
Decent, simple, GIS/mapping component for ASP.NET?
Checklist for IIS 6/ASP.NET Windows Authentication?
How to write to Web.Config in Medium Trust ?
ASP.NET, Visual Studio and Subversion - how to integrate?
Floating Point Number parsing: Is there a Catch All algorithm?
How do I sync the SVN revision number with my ASP.NET web site?
ASP.NET Site Maps