Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

asmx web service: client authentication

I have a web service with a bunch of methods that I'd like to somewhat secure. The data is not really all that confidential, but I'd still like to restrict access to only those who use a certain user id and password that's stored in the web services web.config file. A C# Windows service client will be calling this web service once a day or week.

Can anyone post a simple example of how I can do this? Thanks in advance.

like image 461
zSynopsis Avatar asked Jul 07 '09 13:07

zSynopsis


2 Answers

This is pretty similar to my question: "What should we implement to authorize clients to use our web service?"

We ended up not publishing the WSDL and only serving up the service via https and requiring basic authentication. DON'T use basic auth if you can't force all clients to use https.

If this is a .net web service then here is the config file entry to keep the wsdl from being published.

  <system.web>
    <webServices>
      <protocols>
        <remove name="Documentation" />
      </protocols>
    </webServices>
  </system.web>

When you goto the page, you'll receive an error message similar to the message you'd get if you tried to manually pull down a web.config from a site. As Steven points out, this is security through obscurity and should NOT be used by itself to secure your web service. However, when used in addition to basic auth + https, its a nice little extra.

Client Side Code:

To access this web service from a client, add your web reference the normal way and in the calling code (assuming your web reference is named WebRef).

WebRef.Url = "url";
WebRef.Credentials = new System.Net.NetworkCredential("userid", "password");

Also, you may want to look into WebRef.PreAuthenticate to save some round trips. Just be warned that you'll have a fun time testing that out if you're behind a corporate proxy. Proxies are used via the WebRef by

WebRef.Proxy = new WebProxy("url");
WebRef.Proxy.Credentials = new System.Net.NetworkCredential("userid", "password");
like image 172
Allen Rice Avatar answered Oct 07 '22 12:10

Allen Rice


There are three general approaches to ad hoc SOAP security:

  1. The first is to pass the authentication information with each call.
  2. The second is to pass it in once to receive a session ID that is then passed in with each call.
  3. The third is essentially the same as the second, only using cookies.

Of the three, I recommend the first method, which does not require the server to maintain state, but can be just as fast due to caching.

like image 3
Steven Sudit Avatar answered Oct 07 '22 14:10

Steven Sudit