Security of Web Services

You need to explain more here ...

"david" <da***@discussions.microsoft.com> wrote in message
news:77**********************************@microsof t.com...

I met the security problem.
I have developed the form based security for ASP.NET appliation. However,
it
seems that my window based client for my Web services application can not
access to the server side. How to overcome this situation?

Thanks

David

1. I have developed the form based security for authentication in IIS web
server.
2. My ASP.NET server application uses it for client access authentication
(web browser).
3. Now I add a web services (.asmx) item to the project.
4. Created a window form based client to this web service.
5. Without security restriction, it works fine.
6. With the form based security, the windows forms client can not access to
the server (since there is no logon window popup for loginname/password).

David

"Annie" wrote:

You need to explain more here ...

"david" <da***@discussions.microsoft.com> wrote in message
news:77**********************************@microsof t.com...

I met the security problem.
I have developed the form based security for ASP.NET appliation. However,
it
seems that my window based client for my Web services application can not
access to the server side. How to overcome this situation?

Thanks

David

Hi,

With forms authentication you can configure the application so that
only certain files/folders require authentication. I would create two
folders under my application and put all of the secure stuff in one
folder and the unsecure stuff (e.g., your web service) in the other
folder. Then you can use the following to only secure the "secure"
folder, for example.

<authentication mode="Forms">
<forms loginUrl="logon.aspx" name="cookie" timeout="60"
path="secure/">
</forms>
</authentication>

Thanks,

Sayed Y. Hashimi

http://www.sayedhashimi.com
Shameless Book Plug: Service-Oriented Smart Clients with .NET 2.0
http://www.amazon.com/exec/obidos/tg...glance&s=books

Web services will require some other authentication scheme. Either use IIS
to do this or build in your own custom SOAP headers that pass that authentication
information and you do the check manually in each SOAP call.

-Brock
DevelopMentor
http://staff.develop.com/ballen

1. I have developed the form based security for authentication in IIS
web
server.
2. My ASP.NET server application uses it for client access
authentication
(web browser).
3. Now I add a web services (.asmx) item to the project.
4. Created a window form based client to this web service.
5. Without security restriction, it works fine.
6. With the form based security, the windows forms client can not
access to
the server (since there is no logon window popup for
loginname/password).
David

"Annie" wrote:

You need to explain more here ...

"david" <da***@discussions.microsoft.com> wrote in message
news:77**********************************@microsof t.com...

I met the security problem.
I have developed the form based security for ASP.NET appliation.
However,
it
seems that my window based client for my Web services application
can not
access to the server side. How to overcome this situation?
Thanks

David

Brock is correct in that web services are not authenticated using forms
authentication. However, if you have web services in an application
that uses forms authentication, but the web services do not require
authentication, you can still use forms authentication to allow access
to the asmx while keeping web forms authenticated. All you have to do
is put the web services in a public folder and use the <location> tag
to control/allow access.

Thanks,

Sayed Y. Hashimi

http://www.sayedhashimi.com
Shameless Book Plug: Service-Oriented Smart Clients with .NET 2.0
http://www.amazon.com/exec/obidos/tg...3/qid=11263614...

oops...you actually have to use the <location> tag to control access to
secured/unsecured folders (paths). You can't do that using the <forms>
tag with the "path" attribute.

Thanks,
Sayed Y. Hashimi
http://www.sayedhashimi.com
Shameless Book Plug: Service-Oriented Smart Clients with .NET 2.0
http://www.amazon.com/exec/obidos/tg...3/qid=11263614...

It seems that Web form Form based authentication will not work for windows
form based client of web services.

Currently, my web application and Web services are in the same folder.
I think that my web services have to have authetication to allow the access
only for legitimate users. Do I need to develop other authentication system?

Dabin
"ha**********@gmail.com" wrote:

Brock is correct in that web services are not authenticated using forms
authentication. However, if you have web services in an application
that uses forms authentication, but the web services do not require
authentication, you can still use forms authentication to allow access
to the asmx while keeping web forms authenticated. All you have to do
is put the web services in a public folder and use the <location> tag
to control/allow access.

Thanks,

Sayed Y. Hashimi

http://www.sayedhashimi.com
Shameless Book Plug: Service-Oriented Smart Clients with .NET 2.0
http://www.amazon.com/exec/obidos/tg...3/qid=11263614...

Thanks.

It seems that the web form based authentication does not work for the
windows form based web services clients.

I need to have authentication system to verify the client access to web
services. Do I need to develop other authentication system?

David

"ha**********@gmail.com" wrote:

Brock is correct in that web services are not authenticated using forms
authentication. However, if you have web services in an application
that uses forms authentication, but the web services do not require
authentication, you can still use forms authentication to allow access
to the asmx while keeping web forms authenticated. All you have to do
is put the web services in a public folder and use the <location> tag
to control/allow access.

Thanks,

Sayed Y. Hashimi

http://www.sayedhashimi.com
Shameless Book Plug: Service-Oriented Smart Clients with .NET 2.0
http://www.amazon.com/exec/obidos/tg...3/qid=11263614...

This is exactly what I used.

Problem is that my client is windows form based application for web services.
So the web logon form can not pop up.

David

"ha**********@gmail.com" wrote:

Hi,

With forms authentication you can configure the application so that
only certain files/folders require authentication. I would create two
folders under my application and put all of the secure stuff in one
folder and the unsecure stuff (e.g., your web service) in the other
folder. Then you can use the following to only secure the "secure"
folder, for example.

<authentication mode="Forms">
<forms loginUrl="logon.aspx" name="cookie" timeout="60"
path="secure/">
</forms>
</authentication>

Thanks,

Sayed Y. Hashimi

http://www.sayedhashimi.com
Shameless Book Plug: Service-Oriented Smart Clients with .NET 2.0
http://www.amazon.com/exec/obidos/tg...glance&s=books

Hi,

In that case, you have to go with what Brock said earlier. That is, web
services can be secured by using either IIS or SOAP level security.
SOAP is the way to go, if you ask me. Here are a few links to get you
going with both of the above approaches:

1) IIS Authentication/Authorization-
http://msdn.microsoft.com/library/de...l/secmod85.asp

2) SOAP Authentication/Authroization-
http://msdn.microsoft.com/msdnmag/is...rvicesecurity/

Thanks,

Sayed Y. Hashimi

http://www.sayedhashimi.com
Shameless Book Plug: Service-Oriented Smart Clients with .NET 2.0
http://www.amazon.com/exec/obidos/tg...glance&s=books

Just to add to this, I'd suggest making your ASMX SSL only.

-Brock
DevelopMentor
http://staff.develop.com/ballen

Hi,

In that case, you have to go with what Brock said earlier. That is,
web services can be secured by using either IIS or SOAP level
security. SOAP is the way to go, if you ask me. Here are a few links
to get you going with both of the above approaches:

1) IIS Authentication/Authorization-
http://msdn.microsoft.com/library/de...ry/en-us/secmo
d/html/secmod85.asp
2) SOAP Authentication/Authroization-
http://msdn.microsoft.com/msdnmag/is...rvicesecurity/
Thanks,

Sayed Y. Hashimi

http://www.sayedhashimi.com

Shameless Book Plug: Service-Oriented Smart Clients with .NET 2.0

http://www.amazon.com/exec/obidos/tg.../qid=112636142
1/sr=1-1/ref=sr_1_1/102-5068238-6758524?v=glance&s=books

Hi,

Your original post give me the indication that you had a web
application that had some web pages that needed to be secured and that
you had a web service which did not require
authentication/authroization. The solution I proposed allows you to
have a bunch of secured pages with an unsecured web service in the same
application using forms authentication. Now, if you really need
authentication/authorization for your web services, then you have to
use either IIS or apply credentials to the SOAP messages (possibly
using WSE).
Thanks,

Sayed Y. Hashimi

http://www.sayedhashimi.com
Shameless Book Plug: Service-Oriented Smart Clients with .NET 2.0
http://www.amazon.com/exec/obidos/tg...glance&s=books

Hi Sayed,

I am also very new to ASP.NET. My problem is how to configure web.config
file in forms authentication. I have user and Manager as a role in my
tbl_Login in my SQL Server.

If roles = Manager then I want them to redirect them into
...../secure/manager/mmain.aspx

and if the role = user then I want them to redirect to
...../secure/user/umain.aspx

I am using VB.NET and I have created many application with login form in
windows base application. I store user name and password as encryptred
(varbinary in SQL Server).

But I don't know how to achive samething in ASP.NET.

Is it possible to help me how to configure my web.config file as well as how
to code in code-behind pages? If yopu don't have time to provide any
information could you be willing to provide me some link so I can study
myself?

Thank you very much.

Rgds,
GC

"ha**********@gmail.com" wrote:

Hi,

Your original post give me the indication that you had a web
application that had some web pages that needed to be secured and that
you had a web service which did not require
authentication/authroization. The solution I proposed allows you to
have a bunch of secured pages with an unsecured web service in the same
application using forms authentication. Now, if you really need
authentication/authorization for your web services, then you have to
use either IIS or apply credentials to the SOAP messages (possibly
using WSE).
Thanks,

Sayed Y. Hashimi

http://www.sayedhashimi.com
Shameless Book Plug: Service-Oriented Smart Clients with .NET 2.0
http://www.amazon.com/exec/obidos/tg...glance&s=books