Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Web Services: Secure? Asp.net

Something I can't wrap my head around is how secure web services are.

For example we're writing a desktop application that will interact with data on one of our websites as well as local data. This data is sensitive though and the last thing we want is anybody calling the web services.

I've not yet found anything that says web services has some kind of authentication methods and the only security I've seen people talk about is using certificates to encrypt the message.

I'm no guru on this and would appreciate anyone's input and perhaps a link to somewhere that will explain this in simple terms.

Thanks Jacques

like image 432
Jacques Avatar asked Jul 29 '10 14:07

Jacques


People also ask

Which web service is used for security?

HTTPS is the secure way of communication between the client and the server over the web. HTTPS makes use of the Secure Sockets layer or SSL for secure communication.

Does web service can be made secure?

Web Service Security RequirementsMessage-level security to ensure confidentiality by digitally encrypting message parts; integrity using digital signatures; and authentication by requiring username, X. 509, or SAML tokens.

Is ASP.NET secure?

ASP.NET security works in conjunction with Internet Information Services (IIS) security and includes authentication and authorization services to implement the ASP.NET security model. ASP.NET also includes a role-based security feature that you can implement for both Windows and non-Windows user accounts.


1 Answers

If you are using ASP.NET to create a response / request Service you have only 3 options

  • ASMX
  • WCF
  • Normal .NET pages (or handlers) to process requests

as you specify Services, you can choose between ASMX and WCF then (you can read the difference between ASMX and WCF in my answer here)

keep in mind this

ASMX is considered deprecated technology and replaced by WCF. So if you are going to start new development which requires exposing reusable services, WCF is the way to go.

This days, there is a common pattern when we need to secure Services, and that's using a session key.

The Service normally has a Method for Login where it gets a User and some kind of Password (normally hashed, salted, etc) and that returns a "ticket" that has a limit of time (slided or not - means per each call to a method the period get's reseted or not), and all calls need to have that ticket included in the message body.

Services API like Magento and others uses this.

Or having a pre generated key that is given to the user / application to be used with every call

Services API like Campaign Monitor and MailChimp and others uses this.

The other normal way is to have the user and other credential in the message header all the time.

Services API like SuperOffice CRM and others uses this.

None of this services uses SSL, as I would only use if I really needed to protected the data in the "wire" keeping in mind that SSL expands the response time on every call made.

I hope this helps

like image 161
balexandre Avatar answered Oct 03 '22 02:10

balexandre