Making sure that only MYapplication can using MY webservice?
-
Hi. I have a webservice - and I want to make sure that only MY application is using it. Is this possible, in a secure way? Thanks, Cormac
-
Hi. I have a webservice - and I want to make sure that only MY application is using it. Is this possible, in a secure way? Thanks, Cormac
Have a look at WebService Authentication[^] & Authentication for webservices[^] on code project
-
Have a look at WebService Authentication[^] & Authentication for webservices[^] on code project
Thanks. Unfortunately, those techniques rely on username and password credentials. I need to prevent my users from being able to build their own applications andthen using my web service with their username and password. Regards, Cormac
-
Thanks. Unfortunately, those techniques rely on username and password credentials. I need to prevent my users from being able to build their own applications andthen using my web service with their username and password. Regards, Cormac
Instead of using the username and password of the users, you can have a username hardcoded into your application. The users will not be able to get the username unless they have access to the code and even if they have access to the code, the password could be encrypted.
-
Thanks. Unfortunately, those techniques rely on username and password credentials. I need to prevent my users from being able to build their own applications andthen using my web service with their username and password. Regards, Cormac
Your other option is to see if you can get the IP address of the incoming request, and validate it. Of course, your users can decompile your code and change any checks you do, so.....
Christian Graus - Microsoft MVP - C++ Metal Musings - Rex and my new metal blog "I am working on a project that will convert a FORTRAN code to corresponding C++ code.I am not aware of FORTRAN syntax" ( spotted in the C++/CLI forum )
-
Instead of using the username and password of the users, you can have a username hardcoded into your application. The users will not be able to get the username unless they have access to the code and even if they have access to the code, the password could be encrypted.
Thanks for your suggesstion. However, this is not a solution; it is too easy to decompile .NET applications. Encrypting a password just introduces another problem: the encryption key and how to 'hide' that. Hardcoding is not the answer. Unfortunately, I can't forsee any satisfactory solution.
-
Your other option is to see if you can get the IP address of the incoming request, and validate it. Of course, your users can decompile your code and change any checks you do, so.....
Christian Graus - Microsoft MVP - C++ Metal Musings - Rex and my new metal blog "I am working on a project that will convert a FORTRAN code to corresponding C++ code.I am not aware of FORTRAN syntax" ( spotted in the C++/CLI forum )
Yeah, plus my application needs to be usable from anywhere. I am implementing username/password authentication, but I'm worried my users could create their own application and utilise the web service (using their creddentials), and do some malicious things. In all honesty it'd probably never happen - but it's discouraging not to be able to solve this problem.
-
Yeah, plus my application needs to be usable from anywhere. I am implementing username/password authentication, but I'm worried my users could create their own application and utilise the web service (using their creddentials), and do some malicious things. In all honesty it'd probably never happen - but it's discouraging not to be able to solve this problem.
Then you have to defend your application from dodgy input. You have to ensure that your webservice is strict on validating the inputs. That will minimise any damage that may occur if someone does find a way through the authentication process.
Upcoming events: * Glasgow: Introduction to AJAX (2nd May), SQL Server 2005 - XML and XML Query Plans, Mock Objects, SQL Server Reporting Services... Never write for other people. Write for yourself, because you have a passion for it. -- Marc Clifton My website
-
Hi. I have a webservice - and I want to make sure that only MY application is using it. Is this possible, in a secure way? Thanks, Cormac