tags:

views:

2477

answers:

5
+3  Q: 

Accessing .NET Web Service securely from Flex 3

We can successfully consume a .NET 2.0 web service from a Flex/AS3 application. Aside from SSL, how else can we make the security more robust (i.e., authentication)?

A: 

If you're talking about securing the information going over the wire, you can use Web Service Extensions (WSE) to encrypt the body of the soap message so that you don't have to secure the channel. This way the message can get passed around from more than one endpoint (ie. it can get forwarded) and you don't need multiple https certs.

If you're talking abut autentication then you could do forms auth with either a password in the body or in the soap headers (once again either encrypt the body or the channel). Or one of the easiest ways to secure a webservice (if it's an internal set of services) is have IIS do it, turn on NTLM and do authentication there. You can do authorization later on in the pipeline with an HTTPModule that checks peoples credential against the code they're trying to call.

Tyler  2008-09-12 22:11:47
A: 

Consider using WebOrb to communicate with your service. Here is some information on WebOrb's authentication mecahnism. There is also an article on Adobe's developer site on using WebOrb and .Net for authentication.

James Fassett  2008-10-11 20:26:12
+2  A: 

You can leverage ASP.Net's built in session management by decorating your webmethods with

<EnableSession()>

Then, inside your method, you can check that the user still has a valid session.

matt eisenberg  2008-10-12 21:26:34
A: 

You should be able to use asp.net's authentication (such as forms authentication) without much extra effort. Securing an asmx file is just like securing an aspx file. There's a ton of information on forms authentication out there, just search for 'asp.net forms authentication'

Jeff Schumacher  2008-10-13 18:29:33
That's not quite right. Since flex/flash swf file(s) are downloaded on the client computer, it's easy to decompile them...
Frank  2010-03-08 12:59:56
@Frank - If you're saving usernames / passwords in your action script, then you've got bigger problems to overcomes than worrying about someone decompiling your swf.
Jeff Schumacher  2010-03-09 17:33:11
There are ways to verify user credentials _before_ giving access to the swf
Frank  2010-03-09 17:49:23
A: 

If you are using Microsoft technologies you could build a little Asp.Net/C# application that would ask for credentials before redirecting to the correct swf.

That way you could restrict the access and have different swf file depending on the user.

Frank  2010-03-09 17:51:56

related questions

Displaying Version Information in a Web Service
Example Web Service
SoapException: Root element is missing occurs when .NET web service called from Flex
Best practice for webservices
What is your preferred method of sending complex data over a web service?
.Net - Returning DataTables in WCF
Is it possible to return objects from a WebService?
How much extra overhead is generated when sending a file over a web service as a byte array?
Returning Large Results Via a Webservice
File Uploads via Web Services
best way to persist data in .NET Web Service
What is the difference between an endpoint, a service, and a port when working with webservices?
Calling REST web services from a classic asp page
Best way to write a RESTful service "client" in .Net?
Where can I find some good WS-Security introductions and tutorials?
ASP.NET Web Service Results, Proxy Classes and Type Conversion
Web Services -- WCF vs. Standard
C# WCF Service - Backward compatibility issue
Document or RPC based web services
How to easily consume a web service from PHP
Timer-based event triggers
How to pass enumerated values to a web service
Homegrown consumption of web services
How do I print an HTML document from a web service?
How do I fill a DataSet or a DataTable from a LINQ query resultset ?