Making sure that only MYapplication can using MY webservice?
-
Hi. I have a webservice - and I want to make sure that only MY application is using it. Is this possible, in a secure way? Thanks, Cormac
-
Hi. I have a webservice - and I want to make sure that only MY application is using it. Is this possible, in a secure way? Thanks, Cormac
It helps if your webservice isn't exposed at all. That means get rid of all disco file on your web server. In your web.config you can add this code: That causes your webservice to only allow soap protocols. This means if you access your asmx file you would see links you can click. Finally, you could have your application pass some sort of key into each request. Of course, if you don't use ssl the data could always be read. I think if you webservice isn't exposed through disco files and it rejects http protocol you probably have 90%. To go the whole way you would have to have ssl and some sort of key. Hope that helps. Ben
-
It helps if your webservice isn't exposed at all. That means get rid of all disco file on your web server. In your web.config you can add this code: That causes your webservice to only allow soap protocols. This means if you access your asmx file you would see links you can click. Finally, you could have your application pass some sort of key into each request. Of course, if you don't use ssl the data could always be read. I think if you webservice isn't exposed through disco files and it rejects http protocol you probably have 90%. To go the whole way you would have to have ssl and some sort of key. Hope that helps. Ben
That's a good idea, I never thought of removing the WSDL! I am already using a username/password type of authentication, which I made myself, and it will be operating over SSL also. But, I am worried that there is a possiblity of my users creating their OWN application, and utilising the web service (with their own credentials), which would not implement the logic based in my client application, and therefore wreak havoc. "To go the whole way you would have to have ssl and some sort of key." Even then, hard coding a key into a .NET app is really dodgy - too easy to decompile. Maybe I'm being too cautious? Regards, Cormac Redmond
-
It helps if your webservice isn't exposed at all. That means get rid of all disco file on your web server. In your web.config you can add this code: That causes your webservice to only allow soap protocols. This means if you access your asmx file you would see links you can click. Finally, you could have your application pass some sort of key into each request. Of course, if you don't use ssl the data could always be read. I think if you webservice isn't exposed through disco files and it rejects http protocol you probably have 90%. To go the whole way you would have to have ssl and some sort of key. Hope that helps. Ben
I'm confused. Doesn't SOAP just wrap itself in HTTP? If POST and GET are blocked, how is SOAP not? What is the difference in the headers? P.s., I just tried it, and it blocked my SOAP requests (which I expected). Can you explain what you meant? Thanks, Cormac -- modified at 22:58 Monday 30th April, 2007
-
Hi. I have a webservice - and I want to make sure that only MY application is using it. Is this possible, in a secure way? Thanks, Cormac
-
That's a good idea, I never thought of removing the WSDL! I am already using a username/password type of authentication, which I made myself, and it will be operating over SSL also. But, I am worried that there is a possiblity of my users creating their OWN application, and utilising the web service (with their own credentials), which would not implement the logic based in my client application, and therefore wreak havoc. "To go the whole way you would have to have ssl and some sort of key." Even then, hard coding a key into a .NET app is really dodgy - too easy to decompile. Maybe I'm being too cautious? Regards, Cormac Redmond
-
I'm confused. Doesn't SOAP just wrap itself in HTTP? If POST and GET are blocked, how is SOAP not? What is the difference in the headers? P.s., I just tried it, and it blocked my SOAP requests (which I expected). Can you explain what you meant? Thanks, Cormac -- modified at 22:58 Monday 30th April, 2007
YOu can try this instead: To leave WSDL file generation on for Web services within a Web application, but not provide any human readable information regarding the Web services, you can add an element to the Web.config file for the Web application and set the href attribute to a blank HTML page you have created. The following code example is an excerpt of a Web.config file that sets the service help page to a MyBlank.htm file in the docs folder beneath the folder containing the Web.config file. Ben
-
Make it a class?
Brad Australian - Me on "Public interest" If you actually read this let me know.
?
-
When I am talking about a key I am talking about using a private key for signing. If you are already planning on using a username and password along with ssl I think all you need to do is remove the ability of non users to see your webservice. Ben
Yes, but there is still the risk of a registered user creating their own application.
-
Yes, but there is still the risk of a registered user creating their own application.
-
If you are really that concerned about this, you could pass a custom xml structure. That way if the correct xml structure is not passed in the webmethod won't work. This adds a level of complexity that you may not want to deal with. Ben
What would that do that a tech-savy user couldn't?
-
What would that do that a tech-savy user couldn't?
Well, if normally you just have web methods where you pass in things like username, password, orderitem, quantity etc. That is pretty ovious. If you have one parameter called param1 which has to be xml that contains all the parameters for that method. That would be a bit harder to figure out from anything you could get from disco file or anything else. Ben
-
I think he is saying that you could embed functionality of webservice into application itself, since it is service's only consumer anyway.
"Throughout human history, we have been dependent on machines to survive. Fate, it seems, is not without a sense of irony. " - Morpheus "Real men use mspaint for writing code and notepad for designing graphics." - Anna-Jayne Metcalfe
-
I think he is saying that you could embed functionality of webservice into application itself, since it is service's only consumer anyway.
"Throughout human history, we have been dependent on machines to survive. Fate, it seems, is not without a sense of irony. " - Morpheus "Real men use mspaint for writing code and notepad for designing graphics." - Anna-Jayne Metcalfe
No, the web server is talking to database.