tags:

views:

919

answers:

4
+4  Q: 

How to secure a webservice in .net?

Hi everyone,

I have written a simple .NET webservice, which I will be hosted on a different server may be on different continent. I don't really know. Now, I only had its URL and I tried to use webrequest and webresponse method to access that web service vai HTTP POST. Now, I want to know is there any way to secure the webservice access, so that nobody can exploit it?

for example: My webservice which is here.

http://consultflux.com/Verify/Verification.asmx/Verify?AccountNumber=3223&ProductName=876

Now, these are all the parameters required to call this webservice. As if now, anyone can exploit it. So how can I make it secure? Although, I am planning to get SSL and this whole thing is happening from server to server, not from client to server?

+3  A: 

You can pass a service key (much like Amazon WS) in the authorization header of the web request which could be encrypted with an algorithm of your choice, which is then decrypted at the service end and only continue with the execution if the key matches

See section 14.8 in the following URL

http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html

Nick Allen - Tungle139  2009-05-06 12:47:22
Thanks, it makes sense. Is there any other thing, I could do to make it more secure? If the request from the client is done in SSL mode then, this request will also be done in SSL from server to server, or do I have to turn it on specifically? Pardon me, for asking so many question.Thanks.
Mohit  2009-05-06 12:53:18
I believe you would need an SSL certificate for the server to server communication also. That paired with an encrypted authorization header should be all you need
Nick Allen - Tungle139  2009-05-06 13:01:56
+1  A: 

Unfortunately, you don't have many options since you've used the old ASMX web service technology. The only ways to authenticate someone with ASMX web services, over the Internet, basically amount to "do it yourself".

If I had to do this, I'd use WCF and give myself some options. If I couldn't use WCF, then I'd create a custom HTTP header to pass username and password (over SSL!), and authenticate them on the server. Alternately, I'd use certificates on the client and require them to be sent to the server. IIS can even turn client certificates into Windows identities on the server.

John Saunders  2009-05-06 12:50:37
WCF...I think I can take a look on that. But still I need to access that via URL only, thats my limitation. Please help me, if you can. Any link would be sufficient.thanks.
Mohit  2009-05-06 12:56:32
The WCF Developer Center on MSDN is at http://msdn.microsoft.com/WCF/. WCF should be used instead of ASMX for all new web service development.
John Saunders  2009-05-06 13:00:27
A: 

Typically what you used to secure .NET web services before WCF was Microsoft's Web Service Extensions (WSE), now at version 3.0. I have used it successfully in a commercially-available product, and it is rather good as it is based on the W3C ws-* standards. It is possible to successfully interoperate with that from .NET clients (obviously) but also from Java clients if you use Apache Axis. Download at:

http://www.microsoft.com/downloads/details.aspx?FamilyID=018a09fd-3a74-43c5-8ec1-8d789091255d&displaylang=en

Guido Domenici  2009-05-06 12:56:59
I strongly recommend against even _thinking_ about WSE! WSE is quite obsolete, having been replaced by WCF. Do not use WSE unless you have no choice at all.
John Saunders  2009-05-06 13:01:31
That's why I wrote /before/ WCF... The original question seems to refer to traditional .NET web services. Of course I'd also recommend WCF if there's a choice.
Guido Domenici  2009-05-06 13:05:17
Just _please_ be careful about mentioning WSE - what if someone reading this decided to _use_ it? That's why I put it in such stark terms - "only if you have no other choice". I don't want to chance someone using it because "it uses .ASMX files" or "WCF is too advanced" or anything like that. WSE is obsolete, and should simply not be used, at least not on any project that matters.
John Saunders  2009-05-06 14:36:30
A: 

We do a fair number of Web services and to secure them we just added a username and password to our request object. In your case you could just add 2 new parameters for a user name and password, or more simply just add one and use something like an authentication code, that you can make as complex or as simple as you want.

Some Ideas are something simple like a list of GUIDs that are acceptable pass keys to an encryption of the requesting servers IP address so that authentication code only works with that IP address verified by the web service.

Bob The Janitor  2009-05-06 14:16:40
Very Nice.. Thanks for suggestion.. But as other guys said, I will try using WCF also and see if it benefits me. Otherwise, I can always use your suggestion. Thanks.
Mohit  2009-05-06 17:49:18

related questions

Subsonic Vs NHibernate
How to check For File Lock in C# ?
Is nAnt still supported and suitable for .net 3.5/VS2008?
Limit size of Queue<T> in .NET?
Viewstate invalid when using Safari
Free OCR library
Unhandled Exception Handler in .NET 1.1
Localising date format descriptors
Get a new object instance from a Type in C#
VFP .NET OLEdb provider does not work in Win 64-Bits. Help
.NET Testing Framework Advice
Embedded Database for .net that can run off a network
Automatically update version number
Homegrown consumption of web services
How do you migrate a large app from VB6 to VB .net ?
.NET Migrations Engine
Adding Scripting functionality to .NET applications
SQLite and XSD
Floating Point Number parsing: Is there a Catch All algorithm?
How do I programmatically create a PDF in my .NET application?
How do I sync the SVN revision number with my ASP.NET web site?
XSD DataSets and ignoring foreign keys
Anatomy of a "Memory Leak"
Reliable Timer in a Console Application
How do I calculate relative time?