As the title allready explains I want to secure my webservice. I've read that you can do this using an soap authentication header, but then the username en password are passed as plain text.
I was wondering what I should do to secure my webservice? Examples would be great.
I have an example of a company we work with that has 2 webservices. One to do the security and one to get the needed data but I don't have their side of the code the system looks great though:
bool loginSuccessFull = false;
/// knooppunt
string loginID = ConfigurationManager.AppSettings["WebServiceLogin"];
string password = ConfigurationManager.AppSettings["WebServicePass"];
//A. The m_SecurityService object is created and initialised
Security securityService = new Security();
securityService.CookieContainer = new System.Net.CookieContainer();
string challenge = securityService.InitializeLogin(loginID);
string pwd = password;
string response = pwd + challenge;
System.Security.Cryptography.SHA1CryptoServiceProvider SHA1 = new System.Security.Cryptography.SHA1CryptoServiceProvider();
SHA1.Initialize();
byte[] hash = SHA1.ComputeHash(System.Text.Encoding.Default.GetBytes(response));
System.Text.StringBuilder builder = new System.Text.StringBuilder();
foreach (byte b in hash)
builder.Append(b.ToString("x2"));
//2. A login is done with the m_SecurityService object
if (securityService.Login(builder.ToString()))
{
string ssoToken = Request.QueryString["SSOTOKEN"];
string ssoID = Request.QueryString["SSOID"];
if (!String.IsNullOrEmpty(ssoToken) && !String.IsNullOrEmpty(ssoID))
{
// Check with webserice if the token is valid.
Knooppunt.SSO.GenericSSO sso = new Knooppunt.SSO.GenericSSO();
sso.CookieContainer = securityService.CookieContainer;
try
{
if (sso.validateSSOToken(Convert.ToInt32(ssoID), ssoToken))
{
loginSuccessFull = true;
FormsAuthentication.RedirectFromLoginPage("default user", false);
}
}
catch
{ }
}
}
509 certificate to a particular user. More security can be added by using a public key and a private key to encrypt and decrypt the X. 509 certificate. To ensure that messages are not replayed, a time limit can be set to decline messages which arrive after a certain elapsed duration.
Web services security relies on other accepted standards such as XML digital signature and XML encryption, and takes advantage of mathematical algorithms, techniques, and existing software assets that have long been used for communication and data security on the Internet and such older secure exchanges such as ...
Confidentiality (the data exchanged is encrypted). Message integrity (the data is checked for possible corruption). Secure key exchange between client and server.
If it truly is a webservice, you should be using Windows Communication Foundation to generate the proxy and make the call. It makes a lot of this code much, much easier.
Honestly, it looks like the package that is used to connect to the web service that you are using (SSO?) is pretty non-standard, and does nothing more than derive from HttpWebRequest
, which is VERY low-level, and too complex to use.
If you are going to secure your own web service (and you are exposing it over an HTTP channel), the easiest way is to get a digital certificate for your host and then use basic HTTP authentication over HTTPS.
You could also use other aspects of the WS-Security specifications (e.g. encoding the message, etc, etc) to secure your service.
Note that WCF supports all of these options, so you don't have to do any of this coding out of the box, and you can host it in IIS as well.
A good beginners reference to WCF is Michelle Bustamante's "Learning WCF: A Hands-On Guide".
After that, for more advanced WCF content (especially if you want to learn about concepts revolving around security in WCF and WS-* in general) I highly recommend "Programming WCF Services" by Juval Lowy.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With