views:

550

answers:

3

We have a web service that we will be hosting on a public web server and it will be contacted by web services hosted on web servers within the walls of a hospital. We have written both pieces of the software so we have complete control over what is implemented.

We would like to secure communications between the two web servers. Currently the only thing we have in place is https on the public web server and a guid to identify the clients.

There are network level types of authorization we can support but I don’t like relying on these since not all of our customers (hospitals) will be able to do the same thing. Some will not have the ability to give us a static IP and some will not be able to do a VPN, so we cant solely rely on those methods.

What techniques are you using or do you recommend to authorize communications to your web services? Our main concern is keeping people from getting a hospitals ID (currently just a GUID) and getting data from our web service that is intended for the hospital.

We will employ other networking level security measures to limit the public access to our system but I feel a software solution is necessary as well.

The system is not yet in production but is nearing the completion of development. Its developed in C# on .net 3.5

FWIW I was thinking of some sort of token based authorization because I know a previous employer used something along those lines. However, I do not know specifically what to look for or any other information on the topic.

Edit: While I would like to use WCF, currently no one on the team (including myself) has any experience using it and we've already developed the web services along with the code that interacts with them. All of the web references where added using the .net 2.0 method (from vs.net08, targeted to .net 3.5) and we would prefer to not completely redo that. I wont say that WCF is not an option, but I don't think we will go with that option willingly.

+1  A: 

Client certificates can be used to provide credentials from a caller to your webservices; it's not that hard to take the passed cert and do any additional evaluation to dictate what that cert has visibility into.

Joe
We found that we can map a client certificate to a windows account, We will be using this + obfuscation by not publishing the WSDL, either IP tracking or IP/IP range blocking on the application level, per account (since not everyone will have a static IP)
Allen
+1  A: 

You probably want to use something like OAuth:

http://oauth.net/

You can then use it with WCF to provide an endpoint.

From there, you would want to map the claims to an internal id for the customers (you would have to determine what this mapping is).

This way, you don't have to rely on issuing anything to anyone, all you have to do is create the mapping based on the claims sent to you.

casperOne
Can this be used without WCF?
Allen
@Allen: You could use OAuth without WCF, but I don't know that ASP.NET web services has the hooks to identify the user.
casperOne
+1  A: 

Could you use something like Basic Authentication over https to provide username password challenging? I believe the Microsoft SOAP supports it fairly well. You pretty much just use IIS to configure basic auth (must use SSL), and in your C# just pass ICredentials to your proxy.

From googling, it looks like other languages support basic auth over SOAP too.

Andrew M