All geek questions in one place

What is the best way to protect a web service?

As the header allready explains, I want to protect my web service. I read that you can do this using the header for soap authentication, but then the username password is passed as plain text.

I was wondering what should I do to protect my web service? Examples would be great.

I have an example of a company with which we work with two web services. One for security and one for getting the necessary data, but I don’t have my own part of the code, the system looks great:

bool loginSuccessFull = false; /// knooppunt string loginID = ConfigurationManager.AppSettings["WebServiceLogin"]; string password = ConfigurationManager.AppSettings["WebServicePass"]; //A. The m_SecurityService object is created and initialised Security securityService = new Security(); securityService.CookieContainer = new System.Net.CookieContainer(); string challenge = securityService.InitializeLogin(loginID); string pwd = password; string response = pwd + challenge; System.Security.Cryptography.SHA1CryptoServiceProvider SHA1 = new System.Security.Cryptography.SHA1CryptoServiceProvider(); SHA1.Initialize(); byte[] hash = SHA1.ComputeHash(System.Text.Encoding.Default.GetBytes(response)); System.Text.StringBuilder builder = new System.Text.StringBuilder(); foreach (byte b in hash) builder.Append(b.ToString("x2")); //2. A login is done with the m_SecurityService object if (securityService.Login(builder.ToString())) { string ssoToken = Request.QueryString["SSOTOKEN"]; string ssoID = Request.QueryString["SSOID"]; if (!String.IsNullOrEmpty(ssoToken) && !String.IsNullOrEmpty(ssoID)) { // Check with webserice if the token is valid. Knooppunt.SSO.GenericSSO sso = new Knooppunt.SSO.GenericSSO(); sso.CookieContainer = securityService.CookieContainer; try { if (sso.validateSSOToken(Convert.ToInt32(ssoID), ssoToken)) { loginSuccessFull = true; FormsAuthentication.RedirectFromLoginPage("default user", false); } } catch { } } }
+4
source share
1 answer

If this is truly a web service, you should use the Windows Communication Foundation to create a proxy server and make a call. This greatly facilitates this code.

Honestly, it looks like the package that you use to connect to the web service that you are using (SSO?) Is pretty non-standard and nothing more than the output from HttpWebRequest , which is VERY low level and too complicated to use.

If you are going to protect your own web service (and you are viewing it via an HTTP channel), the easiest way is to obtain a digital certificate for your host, and then use basic HTTP authentication via HTTPS.

You can also use other aspects of the WS-Security specification (for example, message encoding, etc., etc.) to ensure the security of your service.

Please note that WCF supports all of these parameters, so you do not need to make any of these codes out of the box, and you can also place them in IIS.

A good reference for newcomers to the WCF is Michelle Bustamante's "WCF Training: Operations Guide . "

After that, for more advanced WCF content (especially if you want to learn about concepts that revolve around security in WCF and WS- * in general), I highly recommend Juval Lowy's “Programming WCF Services” .

+5
source

Source: https://habr.com/ru/post/1301422/

More articles:


All Articles