Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

asmx web service: client authentication

Tags:

c#

.net

authentication

web-services

asmx

I have a web service with a bunch of methods that I'd like to somewhat secure. The data is not really all that confidential, but I'd still like to restrict access to only those who use a certain user id and password that's stored in the web services web.config file. A C# Windows service client will be calling this web service once a day or week.

Can anyone post a simple example of how I can do this? Thanks in advance.

like image 461
zSynopsis Avatar asked Jul 07 '09 13:07

zSynopsis

2 Answers

This is pretty similar to my question: "What should we implement to authorize clients to use our web service?"

We ended up not publishing the WSDL and only serving up the service via https and requiring basic authentication. DON'T use basic auth if you can't force all clients to use https.

If this is a .net web service then here is the config file entry to keep the wsdl from being published.

  <system.web>
    <webServices>
      <protocols>
        <remove name="Documentation" />
      </protocols>
    </webServices>
  </system.web>

When you goto the page, you'll receive an error message similar to the message you'd get if you tried to manually pull down a web.config from a site. As Steven points out, this is security through obscurity and should NOT be used by itself to secure your web service. However, when used in addition to basic auth + https, its a nice little extra.

Client Side Code:

To access this web service from a client, add your web reference the normal way and in the calling code (assuming your web reference is named WebRef).

WebRef.Url = "url";
WebRef.Credentials = new System.Net.NetworkCredential("userid", "password");

Also, you may want to look into WebRef.PreAuthenticate to save some round trips. Just be warned that you'll have a fun time testing that out if you're behind a corporate proxy. Proxies are used via the WebRef by

WebRef.Proxy = new WebProxy("url");
WebRef.Proxy.Credentials = new System.Net.NetworkCredential("userid", "password");
like image 172
Allen Rice Avatar answered Oct 07 '22 12:10

Allen Rice

There are three general approaches to ad hoc SOAP security:

  1. The first is to pass the authentication information with each call.
  2. The second is to pass it in once to receive a session ID that is then passed in with each call.
  3. The third is essentially the same as the second, only using cookies.

Of the three, I recommend the first method, which does not require the server to maintain state, but can be just as fast due to caching.

like image 3
Steven Sudit Avatar answered Oct 07 '22 14:10

Steven Sudit
Sign in to Comment

Related questions

OmniSharp intellisense not recognizing new class file
Defining a property in a record twice
Why the tuple-type list element's value cannot be modified?
Does Mono support System.Drawing and System.Drawing.Printing? [closed]
How can an application use multiple cores or CPUs in .NET or Java?
Combining two SyndicationFeeds
Reading RAW image files as GDI+ bitmaps [closed]
Running Command line from an ASPX page, and returning output to page
How to suppress XML tag for list property
IIS7, RewritePath and IIS log files
WCF and Multiple Host Headers
Retrieve Windows Experience Rating
Python-like list unpacking in C#?
Unit testing dependent methods
JQuery/WCF without ASP.NET AJAX:
Building a highly modular business application with WPF?
Migrating 'Handles' from VB.NET to C#
What is /optimize C# compiler key intended for?
SqlBulkCopy Error handling / continue on error
How to access inherited controls in the winforms designer

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!