I need to build a simple webservice to get data in and out of a HR System over the Internet (it's a hosted solution). I am using IIS and ASP.Net with .Net 2.0.
Having looked into it, there are several ways of making the webservice secure - I am after some advice on which method to choose, with some views on pros and cons.
These are the methods I am aware of:
SoapHeaders over SSL
Post the UID/PWD in a Soap header and implement a SOAP extension (link).
Pretty straightforward to implement and should be quite secure over SSL. This is by far my preferred option due to the relative simplicity. Also, for historical reasons, I will need to consume the webservice from VBScript of all things, so the ability to just deal with simple SOAP is a bonus.
However, are there any caveats? Am I going to have clients complaining this is a security risk?
Using WCF with TransportWithMessageCredential
I found a lot of old articles referring to WS and if I am not misstaken, this is what is now provided in WCF? This Microsoft link has a primer.
If I understand it correctly, this uses certificate-based security between client and server for authentication. Is this correct or have I got it completely wrong?
I suspect this will be a much bigger job, at least implementation wise. Also, I won't be able to access the Webservice directly from VBScript, so will have to write a dll it call call and then deploy that locally - correct?
Is this even available in .Net 2.0?
Other methods
- I could disallow anonymous access to the asmx file and use rely on IIS to do authentication through challenge/response. This is actually practical in my scenario but feels very inelegant (and no idea how to make that work from VBScript either).
- Passing in a UID to the method call is a poor cousin of the SoapHeader so I won't use that.
I would be very grateful for any advice on the best approach to this problem. If anyone has a good argument why Soap Headers are secure then I would love to hear it, as that seems like the simplest to use, as long as it is "secure enough".