Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Web Services: Secure? Asp.net

Tags:

security

asp.net

web-services

Something I can't wrap my head around is how secure web services are.

For example we're writing a desktop application that will interact with data on one of our websites as well as local data. This data is sensitive though and the last thing we want is anybody calling the web services.

I've not yet found anything that says web services has some kind of authentication methods and the only security I've seen people talk about is using certificates to encrypt the message.

I'm no guru on this and would appreciate anyone's input and perhaps a link to somewhere that will explain this in simple terms.

Thanks Jacques

like image 432
Jacques Avatar asked Jul 29 '10 14:07

Jacques

People also ask

Which web service is used for security?

HTTPS is the secure way of communication between the client and the server over the web. HTTPS makes use of the Secure Sockets layer or SSL for secure communication.

Does web service can be made secure?

Web Service Security RequirementsMessage-level security to ensure confidentiality by digitally encrypting message parts; integrity using digital signatures; and authentication by requiring username, X. 509, or SAML tokens.

Is ASP.NET secure?

ASP.NET security works in conjunction with Internet Information Services (IIS) security and includes authentication and authorization services to implement the ASP.NET security model. ASP.NET also includes a role-based security feature that you can implement for both Windows and non-Windows user accounts.

1 Answers

If you are using ASP.NET to create a response / request Service you have only 3 options

  • ASMX
  • WCF
  • Normal .NET pages (or handlers) to process requests

as you specify Services, you can choose between ASMX and WCF then (you can read the difference between ASMX and WCF in my answer here)

keep in mind this

ASMX is considered deprecated technology and replaced by WCF. So if you are going to start new development which requires exposing reusable services, WCF is the way to go.

This days, there is a common pattern when we need to secure Services, and that's using a session key.

The Service normally has a Method for Login where it gets a User and some kind of Password (normally hashed, salted, etc) and that returns a "ticket" that has a limit of time (slided or not - means per each call to a method the period get's reseted or not), and all calls need to have that ticket included in the message body.

Services API like Magento and others uses this.

Or having a pre generated key that is given to the user / application to be used with every call

Services API like Campaign Monitor and MailChimp and others uses this.

The other normal way is to have the user and other credential in the message header all the time.

Services API like SuperOffice CRM and others uses this.

None of this services uses SSL, as I would only use if I really needed to protected the data in the "wire" keeping in mind that SSL expands the response time on every call made.

I hope this helps

like image 161
balexandre Avatar answered Oct 03 '22 02:10

balexandre
Sign in to Comment

Related questions

ASP.net user data getting crosses between users accessing objects
How can I get started with SharpSVN?
Using the browser's back button after SignOut() allows access to secure page (ASP.NET MVC)
How can I protect/obfuscate/etc an ASP.NET MVC app's source code when deployed?
SCOPE_IDENTITY is not working in asp.net?
How to access the value of an ASPxTextBox from JavaScript
Is it possible to reference a .NET assembly from ColdFusion?
How to set DropDownList selected item in markup?
schedule Email in asp.net, C#
How reliable is the MaxLength property of the TextBox-Control?
ASP.NET Login failed for user 'NT AUTHORITY\NETWORK SERVICE'
Free PDF viewers in ASP.net
Standard way to persist data between requests in ASP.NET-MVC
How to handle form submission ASP.NET MVC Back button?
What is the ASP.NET equivalent to memcached in PHP?
Random String Generator creates same string on multiple calls
How do I determine the following default web config values?
How do you identify authentcated user in WCF?
<%: %> brackets for HTML Encoding in ASP.NET 4.0
Session is null in IRouteHandler.GetHttpHandler with Asp.net routing

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!