I've got a WebService project that we've created to expose some methods to our clients (specifically if they call one of the methods it will trigger an event on our servers) that they can call in their own C# projects (some clients will be doing web form apps and some will be doing it on their internal site).
Due to the nature of the method, one of the parameters is a string which identifies who the client is (so we can trigger the appropriate event) and I'm not overly confident this is enough to prevent people from sending random data until they stumble upon one of the valid identifiers.
What is the standard way of protecting something like this from abuse? Most of the tutorials I find don't seem to mention anything about keeping them secure. Thanks!
Security is critical to web services. However, neither XML-RPC nor SOAP specifications make any explicit security or authentication requirements.
Web Services Security (WS Security) is a specification that defines how security measures are implemented in web services to protect them from external attacks. It is a set of protocols that ensure security for SOAP-based messages by implementing the principles of confidentiality, integrity and authentication.
Authentication and key management. Packaging of attachments to messages. XML Packaging. Reliable messaging (delivery, non-duplication, ordering) for the case in which the transport layer (such as TCP under the HTTP) doesnot provide this.
Daniel Vassallo is correct. You will want to use a X509 certificate to verify that the person calling the service is legitimate. However this does raise the complexity of the solution a lot. You will want to use Microsoft WSE and likely a purchased 3rd party component.
Without that, you can use a user name and password passed in. However, there would need to be some shared algorithm to hash the information based on date, time, etc.. without the hash, you open yourself up to a hack much more than not. Even with SSL, as a dictionary attack could eventually break in.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With