473,320 Members | 2,147 Online
Bytes | Software Development & Data Engineering Community
Post Job

Home Posts Topics Members FAQ

Join Bytes to post your question to a community of 473,320 software developers and data experts.

Securing a web service

Folks -

We are running around and around here on a project we're developing, and I'm
getting to the point that I don't know what I do and don't know. So I need
some assistance.

We are developing a web service that connects to an external LDAP server to
validate a username/password that the user enters from a login page. Right
now, we're concerned about interaction with an ASP.NET website, but this web
service will also be used by some ColdFusion (and possibly other non-MS)
clients as well. I should point out now that we're running on Windows 2000
(SP4) and Windows XP Pro (SP2) workstations to test (with local IIS
installed), and this will probably be initially deployed to a W2K server,
but eventually this should end up on a W2K3 server. We're also on .NET 1.1
and VS2K3.

Because of the way our LDAP server is configured, we are able to connect and
retrieve information when the web service is running under anonymous access
(and the standard IUSR account) on IIS. However, because of the way we were
thinking the service was going to be used, we included some public-key RSA
encryption of the password in our service, and a method for the client to
retrieve the key from the web service. This is where everything went to
pot...

No matter how hard we try, we cannot get the RSA encryption (set up to use a
MachineKey store) to run under anonymous access. We have been setting
rights for IUSR to all the folders we can think of, and nothing works. We
tried creating a local-machine account, granting that the appropriate
rights, and changing the anonymous-access User ID to that account - nothing.
Eventually, I found that it appears that without appropriate credentials for
the web service, user rights don't make a difference. Since anonymous
access doesn't appear to pass credentials, the rights of the service account
user don't seem to matter.

Then, I read an MSDN article about security for ASP.NET web services, and it
said that if we expect our web service to be used by non-MS toolkits (which
we do), the best method for security is SSL and Basic Authentication on IIS.
I've never used Basic authentication, and I'm not a huge fan of it, but it
does seem to work. It also forces us to pass credentials every time we call
anything in the web service - even opening the project in VS.

One of my developers is swearing that the RSA encryption won't work over
SSL, though I don't understand why. Either way, using SSL kinda makes the
RSA encryption moot anyway (right?), though I don't think it will hurt.

Bottom line: what is the "best" way to set up this web service? We don't
have to use SSL, and I'm pretty sure that ColdFusion supports SOAP and web
services well enough that they should have little problem working with the
web service, no matter how we set it up. We don't want to make the users
pass credentials, but it's not the end of the world if that's how it has to
be. More importantly, we don't want to have to manage a bunch of
local-machine accounts just for this, and creating a single local-machine
account and giving that username/password to the world doesn't seem very
secure. If we could get this to work under anonymous access, however, then
the specific account makes much more sense...

We are not using WSE, and I don't know whether we can or not. Either way,
we may not have time - we've got to get this worked out ASAP. Any help
would be appreciated.

TIA

- Scott
Nov 19 '05 #1
1 1410

Then, I read an MSDN article about security for ASP.NET web services, and it said that if we expect our web service to be used by non-MS toolkits (which we do), the best method for security is SSL and Basic Authentication on

IIS.

If there are N users, Basic Auth will need you to create N windows a/c on
your server. Obviously this gets cumbersome when N increases.
IMO, the best way is to use custom SOAP header auth.

Mujtaba.
Nov 19 '05 #2

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

1
by: Bruno Desthuilliers | last post by:
Hi everyone ! Could someone point me to infos about securing python for use as CGI or mod_python for a shared hosting environnement ? I searched google, but did not find anything specific :( ...
0
by: RamseytheScot | last post by:
At the moment we have a httphandler. This handler connects to services and redirect messages to this service. To use this service you have to log on using a Username and Password. This Username and...
2
by: James | last post by:
What's the best way of securing online databases and web services? At present I am using a database password, which of course is not hard-coded into the web service, but this means re-submitting it...
11
by: Wm. Scott Miller | last post by:
Hello all! We are building applications here and have hashing algorithms to secure secrets (e.g passwords) by producing one way hashes. Now, I've read alot and I've followed most of the advice...
1
by: The Fox | last post by:
How to prevent user to add web reference to my web services? Can I add password to web services so that only the users who know the password can add a web reference? Thanks in advance.
0
by: David Tandberg-Johansen | last post by:
Hi! First of all, I am kind of a newbie. I am planning an project where I gonna use an web service and a desktop-client, but I have stumbled over a problem. The IIS server that i am planning...
4
by: KJ | last post by:
Hello All, I have to secure my first real B2B web service. Could you please provide some guidance as to which method of security I should use. One caveat is that we will not be using SSL on the...
2
by: The Big Fat Sloppy Pig! | last post by:
x-no-archive: yes Hi All: I'm sort of "new" to doing this so I was wondering if anyone can offer some additional insight/suggestions. I've created a web-service that will be receiving some...
4
by: =?Utf-8?B?aGlsZXlq?= | last post by:
Hi, I'm developing a web service that needs to communicate with a custom application on an intranet. There is also a configuration utility which may be run on a different server machine for...
0
by: DolphinDB | last post by:
Tired of spending countless mintues downsampling your data? Look no further! In this article, you’ll learn how to efficiently downsample 6.48 billion high-frequency records to 61 million...
0
isladogs
by: isladogs | last post by:
The next Access Europe meeting will be on Wednesday 6 Mar 2024 starting at 18:00 UK time (6PM UTC) and finishing at about 19:15 (7.15PM). In this month's session, we are pleased to welcome back...
1
isladogs
by: isladogs | last post by:
The next Access Europe meeting will be on Wednesday 6 Mar 2024 starting at 18:00 UK time (6PM UTC) and finishing at about 19:15 (7.15PM). In this month's session, we are pleased to welcome back...
0
by: jfyes | last post by:
As a hardware engineer, after seeing that CEIWEI recently released a new tool for Modbus RTU Over TCP/UDP filtering and monitoring, I actively went to its official website to take a look. It turned...
0
by: ArrayDB | last post by:
The error message I've encountered is; ERROR:root:Error generating model response: exception: access violation writing 0x0000000000005140, which seems to be indicative of an access violation...
0
by: CloudSolutions | last post by:
Introduction: For many beginners and individual users, requiring a credit card and email registration may pose a barrier when starting to use cloud servers. However, some cloud server providers now...
0
by: Defcon1945 | last post by:
I'm trying to learn Python using Pycharm but import shutil doesn't work
0
by: af34tf | last post by:
Hi Guys, I have a domain whose name is BytesLimited.com, and I want to sell it. Does anyone know about platforms that allow me to list my domain in auction for free. Thank you
0
by: Faith0G | last post by:
I am starting a new it consulting business and it's been a while since I setup a new website. Is wordpress still the best web based software for hosting a 5 page website? The webpages will be...

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.