Results 1 to 8 of 8

Thread: [2005] Web Service Security options

  1. #1

    Thread Starter
    I'm about to be a PowerPoster! kleinma's Avatar
    Join Date
    Nov 2001
    Location
    NJ - USA (Near NYC)
    Posts
    23,373

    [2005] Web Service Security options

    I have worked with webservices a bit in 2003, and I just upgraded a 2003 WS project to 2005.

    I am just wondering if there are any new security considerations I can use to make this WS as secure as possible.

    I will refer to my programs as winapp (for the windows app that consumes the service, and SecureWS as the web service to be consumed)

    My ultimate goal is this:
    Only authenticated callers (aka winapp) can access the methods of the webservice.

    What I have implemented so far:
    -All calls to SecureWS are over SSL
    -My webhost allows me to create user accounts so I can deny anonymous access to the directory where SecureWS sits, but allow access from an account I create. So I create a user acct that only has access to that SecureWS. This is so you can't nagivate to the URL of my ASMX file and see all the methods.
    -I have a TripleDES encrypted string of the credentials (credentials for the user account I created on my web host) stored in winapp, and at runtime when I call the SecureWS, i decrypt it, and pass it as credentials to SecureWS


    Is there anything I am over doing, missing, doing wrong?

    I have found some articles on WS security, however they mostly deal with situations where you have full access to IIS, which I do not.

    However I do want to protect my service from unauthorized access, or from brute force attacks. I am not some big software company, so I may be overdoing it a little on security, as I don't expect a ton of people trying to hack this, however it does only take one person, not a ton.

  2. #2
    Code Monkey wild_bill's Avatar
    Join Date
    Mar 2005
    Location
    Montana
    Posts
    2,993

    Re: [2005] Web Service Security options

    IIRC you can use the web.config file to prevent anyone from browing to your page and exposing the methods. I'm at home now, but I'll check my service tomorrow for the code. For authentication I used microsoft's WSE2 toolkit. It works nice, as it allows me to store usernames, and hashed passwords in our mssql db. I can get you example code of that as well if you want it.

  3. #3
    Code Monkey wild_bill's Avatar
    Join Date
    Mar 2005
    Location
    Montana
    Posts
    2,993

    Re: [2005] Web Service Security options

    Here are the config settings to allow human interface with the service, handy for testing.
    Code:
        <webServices>
            <protocols>
                <add name="HttpGet"/>
                <add name="HttpPost"/>
            </protocols>
        </webServices>
    If you remove these tags, a program is required to run the methods.
    Here is some sample code for my client that consumes a web service that uses WSE 2.0.

    VB Code:
    1. '''Install WSE 2.0 from [url]http://www.microsoft.com/downloads/details.aspx?FamilyId=FC5F06C5-821F-41D3-A4FE-6C7B56423841&displaylang=en[/url]
    2. '''Right click project, go to WSE Settings, ensure top checkbox is checked under the general tab
    3. '''Add web reference, make sure to use web service instance that is followed by Wse.
    4. '''Example: myWsRef.ClassNameWse not myWsRef.ClassName
    5.     Private Sub btnConnect_Click(ByVal sender As System.Object, ByVal e As System.EventArgs) Handles btnConnect.Click
    6.         Me.Cursor = Cursors.WaitCursor
    7.         btnConnect.Enabled = False
    8.         'Create a UsernameToken instance
    9.         Dim ut As New Security.Tokens.UsernameToken(txtUsername.Text, txtPassword.Text, Security.Tokens.PasswordOption.SendPlainText)
    10.         'Create a new instance of the web service
    11.         Dim ws As New hewWs.UserInterfaceWse
    12.  
    13.         Try
    14.             'Add the token to the Tokens collection
    15.             ws.RequestSoapContext.Security.Tokens.Add(ut)
    16.             'call ws
    17.             If ws.UpdatePassword(txtNewPassword.Text) Then
    18.                 txtMessage.Text = "Success!"
    19.             End If
    20.         Catch exSoap As System.Web.Services.Protocols.SoapHeaderException
    21.             'There was an authentication problem
    22.             txtMessage.Text = exSoap.Message
    23.         Catch ex As Exception
    24.             'There was some other kind of exception
    25.             txtMessage.Text = ex.Message
    26.         Finally
    27.             ws = Nothing
    28.             Me.Cursor = Cursors.Default
    29.             btnConnect.Enabled = True
    30.         End Try
    31.  
    32.     End Sub

    And a sweet tutorial I used for useing WSE: http://aspnet.4guysfromrolla.com/articles/071404-1.aspx

  4. #4

    Thread Starter
    I'm about to be a PowerPoster! kleinma's Avatar
    Join Date
    Nov 2001
    Location
    NJ - USA (Near NYC)
    Posts
    23,373

    Re: [2005] Web Service Security options

    Thanks Bill,
    I am sorting out the obfuscation and cleaning up the windows app that consumes the service, so as soon as I am done with that I will look to implement this and let you know how it goes.

  5. #5

    Thread Starter
    I'm about to be a PowerPoster! kleinma's Avatar
    Join Date
    Nov 2001
    Location
    NJ - USA (Near NYC)
    Posts
    23,373

    Re: [2005] Web Service Security options

    bill, those protocols are not in the web.config by default

    VB Code:
    1. <webServices>
    2.         <protocols>
    3.           <add name="HttpGet"/>
    4.           <add name="HttpPost"/>
    5.         </protocols>
    6.       </webServices>

    are you saying that they SHOULD be there by default, and I can remove them to disallow browser level access to the methods?

  6. #6
    Code Monkey wild_bill's Avatar
    Join Date
    Mar 2005
    Location
    Montana
    Posts
    2,993

    Re: [2005] Web Service Security options

    I beleive it is disallowed by default, just for security purposes. I have to add them to my dev sites for debugging purposes.

  7. #7

    Thread Starter
    I'm about to be a PowerPoster! kleinma's Avatar
    Join Date
    Nov 2001
    Location
    NJ - USA (Near NYC)
    Posts
    23,373

    Re: [2005] Web Service Security options

    you mean you debug your web services in the browser? I usually just debug them in Visual Studio. Do you gain something by debugging them in the browser?

  8. #8
    Code Monkey wild_bill's Avatar
    Join Date
    Mar 2005
    Location
    Montana
    Posts
    2,993

    Re: [2005] Web Service Security options

    If I'm making alot of changes, it's nice to be able to make a quick change, browse to my service and test it. It's also pretty slick at displaying the output. Also, I should specify that I can't debug all my web service methods on my developement machine, because of third party software.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  



Click Here to Expand Forum to Full Width