473,626 Members | 3,289 Online
Bytes | Software Development & Data Engineering Community
+ Post

Home Posts Topics Members FAQ

Web Service Security

I'm currently using a basic web service for my Windows and web clients to access a Microsoft Access database on the web server. All works fine, but I'm worried about security. Without any precautions, anyone could use the web service to access or even modify information in the database. This, obviously, is not too good, so currently I've set a database password on the MS Access file. The trouble is, since web services are stateless the password has to be sent with every function call. This is bloody annoying, but more importantly it means that I'm sending a plain-text password accross the internet the whole time

Any better ideas? You probably realise that I'm a beginner, so please keep it as simple as possible. Also, SQL Server or similar solutions are not feasible, owing to cost limitations.
Nov 12 '05 #1
2 2490
Hi,

From your description, you expose an access database via an WebService
(ASP.NET WebService?) and currrently you used a customized security
mechanism( provide the user credential in every member functions of the
webservice) and you feel it no good and wonder some better means to
implement security on the webservice, yes?

As for this problem, here are my suggestions:
In ASP.NET webservice, we have two main means to implement Authenticate
security for it:
1. Using the buildin security mechanism of the ASP.NET web application,
such as Windows authentication. This means is very useful when the client
machine(webserv ice's caller) and the server machine are in the same domain
or local intranet. Then, we can force the client to provide the domain
account when calling the webservice. Also, this need make use of the IIS's
buildin authentication mechanism (Basic or Integrated Windows). For
detailed description, you may view the following guide and references:
#Securing XML Web Services Created Using ASP.NET
http://msdn.microsoft.com/library/en...ringASPNETWebS
ervices.asp?fra me=true

#Security and XML Web services
http://www.aspng.com/quickstart/aspp...eservices.aspx

2. Provide custom authentication info in webservice's soap header. This
means need us to define some custom Soap headers which represent the
client's credential info and we can determine whether the caller is
authenitcated on the serverside via these custom headers. Different from
settting credentials in every function call I mentioned at beginning, such
SoapHeader can set only once on the Client Proxy class and then all the
sequential calling on the webservice will contain the headers. For more
detailed info on the related topic, please refer to the following
weblinks(also the links above have also mentioned this means):

#Using SOAP Headers
http://msdn.microsoft.com/library/en...gSOAPHeaders.a
sp?frame=true

#Customizing SOAP Messages
http://msdn.microsoft.com/library/en...omizingsoapina
spnetwebservice swebserviceclie nts.asp?frame=t rue

#Webservicessam ples.exe Contains ASP.NET Web Services Samples
http://support.microsoft.com/?id=320438

Further more, if you have interesting, you may have a look at the
WSE(MIcrosoft Webservice Enhancement) which provide more and stronger
features on building reliable and stronger XML Webservie:

#WS-Security Authentication and Digital Signatures with Web Services
Enhancements
http://msdn.microsoft.com/library/en...e.asp?frame=tr
ue

#Using Role-Based Security with Web Services Enhancements 2.0
http://msdn.microsoft.com/library/en...dsec.asp?frame
=true

Hope also helps. Thanks.

egards,

Steven Cheng
Microsoft Online Support

Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)

Get Preview at ASP.NET whidbey
http://msdn.microsoft.com/asp.net/whidbey/default.aspx

Nov 12 '05 #2
Hi,

Have you had a chance to check out the suggestions in my last reply or have
you got any further ideas on this issue? If you have anything unclear or if
there're anything else we can help, please feel free to post here. Thanks.

Regards,

Steven Cheng
Microsoft Online Support

Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)

Get Preview at ASP.NET whidbey
http://msdn.microsoft.com/asp.net/whidbey/default.aspx
Nov 12 '05 #3

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics
2
2582
Windows 2003 Service
by: cd | last post by:
Is there a specific process or permissions that must be granted to get a .NET (framework 1.4) Window Service to run properly on a Windows 2003 Server? I built a Windows Service to start two local programs (Putty and Pageant) located on a Win 2003 Server. The service installs but doesn't start the Putty / Pageant programs properly when using any user ID except my own. Why will it work with my User ID? I install the Windows Service on a Win...
.NET Framework
2
2571
not associated with trusted SQL Server problem - windows service
by: epaetz | last post by:
I'm getting Not associated with a trusted SQL Server connection errors on a .Net windows service I wrote, when it's running on my application server. It's not a problem with mixed mode security. I'm set for mixed mode and I've been running the service on the app server for over a month with no problem. My database is running on a second server and both are under the same domain. The problem has occurred twice over the last two months.
Microsoft SQL Server
3
14908
Windows Service cannot create text files?
by: Amjad | last post by:
Hi, I just wrote a test Windows Service that creates a text file on startup (please see my code below). The file is never created. Protected Overrides Sub OnStart(ByVal args() As String) Dim swLog As StreamWriter = File.CreateText("C:\myLog.txt") swLog.WriteLine("My Windows Service has just started.") swLog.Close() : swLog.Flush() End Sub
Visual Basic .NET
5
2196
User authentication through web service (follow up)
by: Buddy Ackerman | last post by:
My app is a .NET forms app that runs in the taskbar and periodically polls a web service. I have a client that wants the app to integrate with their Active Directory. They do not want the user to have to provide the username and password to login to the application/web service. I need to be able to send the users authenticated security token to the web service. I have looked at the UserNameToken class of the WSE 2.0 Security.Tokens...
.NET Framework
4
3826
Web service security - .NET 2.0
by: Henrik Skak Pedersen | last post by:
Hi, I have a set up where a windows client connects to a web service to retrieve a license file. The client is a consumer product which is beeing distributed to multiple locations. 1) I would like to restrict the web service so it only can be called from my application 2) I guess that I have to encrypt and sign all data which is being send over the wire, or can I just use SSL. What is recommended?
.NET Framework
4
2044
.NET XML Web Service interop
by: Kevin Burton | last post by:
I found an article on calling a .NET web service from Java but it seemed to rely on GLUE and I was unable to find out how to download that software. There seems to be alot written on the Sun site, and I have downloaded the SDK and the web services SDK but I am not sure where to proceed from there. Basically I want to show how to do these simple tasks: 1) Call a .NET web service from a Java client 2) Build Java proxies based on a WSDL....
.NET Framework
16
5573
problems starting a Network service
by: sunil | last post by:
Hi, I have a service written in c# that I need to run as a "Network Service". I am using a setup project to install the service. If I install the service in User's Personal Folder, I get the following error: "Could not start the <servicenameservice on Local Computer. Error 5: Access is denied." If I install the service in ProgramFiles folder, I get the following error:
C# / C Sharp
33
11839
Getting logged in user from a service?
by: JamesB | last post by:
I am writing a service that monitors when a particular app is started. Works, but I need to get the user who is currently logged in, and of course Environment.UserName returns the service logon (NT_AUTHORITY\SYSTEM). I understand that when the service starts, no user may be logged in, but that's ok, as the app I am monitoring can only be run by a logged in user. Do I need to use WMI to get the user context of Explorer.exe or is there a...
C# / C Sharp
0
9804
C# - soap exception when one web service calls another
by: yoozioo | last post by:
hello, This year I'm learning C# at school and now we focus on web services. I created and published a web service which contains a method that calls another web service written by my class mates. When I run a simple windows application which uses my web service I get the following exception which is thrown when my mates' web method is called. An unhandled exception of type 'System.Web.Services.Protocols.SoapException' occurred in...
.NET Framework
3
16310
C# SOAP Authentication to non C# web service
by: Enda Manni | last post by:
Hi, I have a gSoap Web Service written using C++, it uses SOAP username and password authentication. I also have a C# form client consuming the web service, all this was working fine until I added the authentication on the server, now I can not get the client to authenticate. Can someone tell me how to add authentication info to the SOAP message posted from the C# SOAP client.
C# / C Sharp
0
8205
Changing the language in Windows 10
by: Hystou | last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can effortlessly switch the default language on Windows 10 without reinstalling. I'll walk you through it. First, let's disable language synchronization. With a Microsoft account, language settings sync across devices. To prevent any complications,...
Windows Server
1
8370
The easy way to turn off automatic updates for Windows 10/11
by: Hystou | last post by:
Overview: Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows Update option using the Control Panel or Settings app; it automatically checks for updates and installs any it finds, whether you like it or not. For most users, this new feature is actually very convenient. If you want to control the update process,...
Windows Server
0
8514
tracyyun
Discussion: How does Zigbee compare with other wireless protocols in smart home applications?
by: tracyyun | last post by:
Dear forum friends, With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each protocol has its own unique characteristics and advantages, but as a user who is planning to build a smart home system, I am a bit confused by the choice of these technologies. I'm particularly interested in Zigbee because I've heard it does some...
General
0
7206
agi2029
AI Job Threat for Devs
by: agi2029 | last post by:
Let's talk about the concept of autonomous AI software engineers and no-code agents. These AIs are designed to manage the entire lifecycle of a software development project—planning, coding, testing, and deployment—without human intervention. Imagine an AI that can take a project description, break it down, write the code, debug it, and then launch it, all on its own.... Now, this would greatly impact the work of software developers. The idea...
Career Advice
1
6126
isladogs
Access Europe - Using VBA to create a class based on a table - Wed 1 May
by: isladogs | last post by:
The next Access Europe User Group meeting will be on Wednesday 1 May 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM). In this session, we are pleased to welcome a new presenter, Adolph Dupré who will be discussing some powerful techniques for using class modules. He will explain when you may want to use classes instead of User Defined Types (UDT). For example, to manage the data in unbound forms. Adolph will...
Microsoft Access / VBA
0
4208
Windows Forms - .Net 8.0
by: adsilva | last post by:
A Windows Forms form does not have the event Unload, like VB6. What one acts like?
Visual Basic .NET
1
2632
transfer the data from one system to another through ip address
by: 6302768590 | last post by:
Hai team i want code for transfer the data from one system to another through IP address by using C# our system has to for every 5mins then we have to update the data what the data is updated we have to send another system
C# / C Sharp
1
1817
muto222
How to add payments to a PHP MySQL app.
by: muto222 | last post by:
How can i add a mobile payment intergratation into php mysql website.
PHP
2
1516
bsmnconsultancy
Comprehensive Guide to Website Development in Toronto: Expert Insights from BSMN Consultancy
by: bsmnconsultancy | last post by:
In today's digital era, a well-designed website is crucial for businesses looking to succeed. Whether you're a small business owner or a large corporation in Toronto, having a strong online presence can significantly impact your brand's success. BSMN Consultancy, a leader in Website Development in Toronto offers valuable insights into creating effective websites that not only look great but also perform exceptionally well. In this comprehensive...
General

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.

BYTES.COM © 2024
About Bytes
Terms Of Use
Privacy Policy
Sitemap
Advertise on Bytes
How to Post and Respond on Bytes
How to Promote and Link on Bytes
How to increase your Ranking on Bytes
Become a Recognized Expert on Bytes
Feedback Welcomed! Contact Us