Geek Answers Handbook

Secure web service

I am going to create a web service that will transmit sensitive information over the network.

What would be the best way to protect a web service? how to find out if the application requesting the information is the one who says it, and the other application does not use a different username and password?

+4
source share
4 answers

Use WCF for your web service! It has tons of security features:

You can

  • Protect your customers with certificates - only those with the appropriate certificate will be allowed to process their calls

  • Protect your customers by viewing them in the internal Active Directory domain - only those with AD accounts will be able to process their requests.

  • Protect your customers with custom usernames and passwords that you can compare with whatever you want (this is the most flexible, but also the most difficult option, and offers the highest probability of failure if you do something wrong)

In addition, with WCF, you also have many options for securing transport between the client and the service, or for encrypting and signing messages going back and forth.

See the WCF Developer Center as a great starting point for all WCF stuff.

If you are serious about safe and reliable programming of WCF services, take a copy of the book " Programming WCF Services " by Yuwala Lowy - a bible for WCF.

alt text

+3
source

I have done this once or twice in the past:

  • Use SSL
  • Write to the web server to request a token that is retrieved from the method in the web service.
  • Have a token returned from a method that requires a login and password.

  • After a certain number of webservice requests or at arbitrary intervals, change the required token, thereby forcing re-authentication.

  • If you want, encrypt the data in the ssl stream using an encryption method that both parties understand. (if you are paranoid.)

+1
source

You do not write what implementation technology you intend to use, so let me start by recommending using the Windows Communication Foundation (WCF) instead of asmx web services.

With WCF, you can choose between many different bindings, many of which offer data protection. In general, there are two different styles of data protection for web services:

  • Transport protection , where the transport mechanism itself offers encryption protection. The best known version of this is HTTPS / SSL. However, note that if you do not use client certificates, the service does not guarantee that the client is what it says.
  • Message protection , where the message itself is encrypted and signed. Such messages can travel over insecure networks and still be protected.

WsHttpBinding offers message protection in accordance with open standards. This is where I will start.

+1
source

Take a look at WIF (aka Geneva framework). Its purpose is to solve the specific problem that you are describing. http://msdn.microsoft.com/en-us/security/aa570351.aspx

0
source

More articles:


All Articles