Private Webservice
-
I have a c++ application that needs to retrieve information from my company's server. I decided to build a c# webservice. So far it works fine. I need to add some security since I pass userid and password. But my main concern is that this webservice will only be used by our applications and I don't want it to be public to others, so that they cannot view the schema and cannot see the page that shows how to make a HTTP GET/POST and SOAP request. Is there a way to make the webservice not available to public ? or at least hide the schema/request pages ?
-
I have a c++ application that needs to retrieve information from my company's server. I decided to build a c# webservice. So far it works fine. I need to add some security since I pass userid and password. But my main concern is that this webservice will only be used by our applications and I don't want it to be public to others, so that they cannot view the schema and cannot see the page that shows how to make a HTTP GET/POST and SOAP request. Is there a way to make the webservice not available to public ? or at least hide the schema/request pages ?
If you're looking to add security to your web services, take a look at the Microsoft Web Service Enhancements (WSE)[^]. 2.0 was recently released. With a few simple changes to your server and clients, you can use strong authentication protocols (or a simple username/password, though I recommend at least hashing the password using MD5 or SHA1, which is easily supported by the WSE), encryption, signatures, addressing (routing), etc. If you want it private, simply don't expose it to the public. Unless it needs to be on your Internet web server, just use it on your intranet. If you need to put it on your Internet server (say, for an extranet) then use IP address blocking (IIS feature) or features in the WSE. The latter won't prevent them from seeing the WSDL, but unless your business is about the WSDL schema and not the data that's transferred, this really shouldn't be a problem.
Microsoft MVP, Visual C# My Articles
-
If you're looking to add security to your web services, take a look at the Microsoft Web Service Enhancements (WSE)[^]. 2.0 was recently released. With a few simple changes to your server and clients, you can use strong authentication protocols (or a simple username/password, though I recommend at least hashing the password using MD5 or SHA1, which is easily supported by the WSE), encryption, signatures, addressing (routing), etc. If you want it private, simply don't expose it to the public. Unless it needs to be on your Internet web server, just use it on your intranet. If you need to put it on your Internet server (say, for an extranet) then use IP address blocking (IIS feature) or features in the WSE. The latter won't prevent them from seeing the WSDL, but unless your business is about the WSDL schema and not the data that's transferred, this really shouldn't be a problem.
Microsoft MVP, Visual C# My Articles
Heath Stewart wrote: If you're looking to add security to your web services, take a look at the Microsoft Web Service Enhancements (WSE)[^]. The client application is built under VC++ 6.0. So, for now I am using sockets to connnect and retrieve the information. I was thinking about using SSL socket. I think there are some examples on codeproject. Heath Stewart wrote: If you want it private, simply don't expose it to the public. Unless it needs to be on your Internet web server, just use it on your intranet The client application is a Windows application that access the service through the Internet. It connects to our company's Web server and retrieve some data to process/display. My main concern is that service should only be available to the client applications and not to the public. If I could hide the shema returned when you point a browser to the .asmx file, that would be a good start. Then there is the ?WSDL. It looks like there is no easy way and will have to write a .ASP page which does basically the same thing. The problem is returning the XML code, with a webservice it's all very easy. Possible solution: Have the .ASP page call the webservice, which would not be public, and simple return the data. The .ASP would just act as a bridge between client and webservice.
-
Heath Stewart wrote: If you're looking to add security to your web services, take a look at the Microsoft Web Service Enhancements (WSE)[^]. The client application is built under VC++ 6.0. So, for now I am using sockets to connnect and retrieve the information. I was thinking about using SSL socket. I think there are some examples on codeproject. Heath Stewart wrote: If you want it private, simply don't expose it to the public. Unless it needs to be on your Internet web server, just use it on your intranet The client application is a Windows application that access the service through the Internet. It connects to our company's Web server and retrieve some data to process/display. My main concern is that service should only be available to the client applications and not to the public. If I could hide the shema returned when you point a browser to the .asmx file, that would be a good start. Then there is the ?WSDL. It looks like there is no easy way and will have to write a .ASP page which does basically the same thing. The problem is returning the XML code, with a webservice it's all very easy. Possible solution: Have the .ASP page call the webservice, which would not be public, and simple return the data. The .ASP would just act as a bridge between client and webservice.
Everything from handling requests to .asmx?WSDL to generating the WSDL itself (as well as the "human-readable" HTML output for a service) is configurable. Spend some time reading the class library documentation for the
System.Web.Servicesand child namespaces.Microsoft MVP, Visual C# My Articles
-
I have a c++ application that needs to retrieve information from my company's server. I decided to build a c# webservice. So far it works fine. I need to add some security since I pass userid and password. But my main concern is that this webservice will only be used by our applications and I don't want it to be public to others, so that they cannot view the schema and cannot see the page that shows how to make a HTTP GET/POST and SOAP request. Is there a way to make the webservice not available to public ? or at least hide the schema/request pages ?
Here's what I found: Since this webservice will only be used by some client applications that already knows the schema, to hide the documentation of the web service, there is a key that can be set in the web.config file.
<?xmlversion="1.0" encoding="utf-8"?> < <webServices> <protocols> <remove name="Documentation"/> </protocols> </webServices> </system.web> </configuration> -
Here's what I found: Since this webservice will only be used by some client applications that already knows the schema, to hide the documentation of the web service, there is a key that can be set in the web.config file.
<?xmlversion="1.0" encoding="utf-8"?> < <webServices> <protocols> <remove name="Documentation"/> </protocols> </webServices> </system.web> </configuration>You can also set a custom page to be displayed for the WSDL documentation:
<?xmlversion="1.0"encoding="utf-8"?> <configuration> <system.web> <webServices> <wsdlHelpGeneratorhref="helpPage.aspx"/> </webService> </system.web> </configuration>
It can also be a .html page. So you can display what ever you want. A third possibility is to process the request from Application_BeginRequest function. You can check if the request has a ?wsdl to it and throw a http exception. All these examples can be found here: http://www.15seconds.com/issue/040609.htm