Force SSL

I assume you have your web server set up with normal access
(http://mysite.com) in one IIS directory and SSL access (https://mysite.com)
in a separate directory. As long as your web service runs as an application
in only the https directory, can you not just assume you're running SSL?

Tom

"Scott" <me@me.com> wrote in message
news:ek**************@TK2MSFTNGP14.phx.gbl...

Is there a way to check if the current (web service)connection is using
ssl? I'd like to be able to check for this and return an error if the
connection isn't secure. I work in a heavily regulated industry and
can't send data over a non-secure connection.

Thanks.
Scott C.

Scott,

Is there a way to check if the current (web service)connection is using
ssl?

You can use the Context property of the web service class to read the
Request.IsSecureConnection property to test if the call came through HTTPS
(SSL). For example:

bool isSecure = Context.Request.IsSecureConnection;

Another option is to make sure the web server (or the firewall in front of
it) is configured so that it doesn't accept any connections through HTTP,
i.e. unsecured connection. You might want to do this in addition to your own
application tests to take use of the "defence in depth" principle.

Thirdly, you might wish to encrypt contents of the messages itself, which
would add even more security. However, this might be wasting CPU cycles
unnecessarily if SSL is already enough for your application.

Hope this helps.

--
Regards,

Mr. Jani Järvinen
C# MVP
Helsinki, Finland
ja***@removethis.dystopia.fi
http://www.saunalahti.fi/janij/

Jani ,

I find myself in a similar situation to Scott. I am working on a WebService
that will be running over SSL, but there is some data that is seen by my
company as particularly sensitive. You mention the possibility of
encrypting messages. Is there an easy way to force certain web service
parameters or function calls to be "encrypted"?

Thanks,

Tom

"Jani Järvinen [MVP]" <ja***@removethis.dystopia.fi> wrote in message
news:eH**************@TK2MSFTNGP15.phx.gbl...

Scott,

Is there a way to check if the current (web service)connection is using
ssl?

You can use the Context property of the web service class to read the
Request.IsSecureConnection property to test if the call came through HTTPS
(SSL). For example:

bool isSecure = Context.Request.IsSecureConnection;

Another option is to make sure the web server (or the firewall in front of
it) is configured so that it doesn't accept any connections through HTTP,
i.e. unsecured connection. You might want to do this in addition to your
own application tests to take use of the "defence in depth" principle.

Thirdly, you might wish to encrypt contents of the messages itself, which
would add even more security. However, this might be wasting CPU cycles
unnecessarily if SSL is already enough for your application.

Hope this helps.

--
Regards,

Mr. Jani Järvinen
C# MVP
Helsinki, Finland
ja***@removethis.dystopia.fi
http://www.saunalahti.fi/janij/

Jani Jdrvinen [MVP] wrote:

You can use the Context property of the web service class to read the
Request.IsSecureConnection property to test if the call came through
HTTPS (SSL). For example:

Thanks Jani, this is exactly what I was looking for.

Scott C.

Tom at SDI wrote:

I assume you have your web server set up with normal access
(http://mysite.com) in one IIS directory and SSL access
(https://mysite.com) in a separate directory. As long as your web
service runs as an application in only the https directory, can you
not just assume you're running SSL?

Goverment regulators rarely accept these types of assumptions. <g>

Scott C.

Tom,

You mention the possibility of encrypting messages. Is there an
easy way to force certain web service parameters or function
calls to be "encrypted"?

I'm not aware of any easy, single silver-bullet method or property you could
use to just "set encryption on". Instead, there are nowadays many web
services security related specifications, such as WS-Security which uses a
W3C specification "XML Encryption" underneath, among others. From the
programmer's perspective this means that there are many options to solve the
issues, too.

A full introduction to web services security would require much more than
I'm able to give you here, however I can give you some pointers. For
instance, MSDN has an article named "Web Services Security Specifications
Index Page", which probably would be interesting to you:

http://msdn.microsoft.com/webservice...rspecindex.asp

Secondly, the article "Understanding WS-Security" might be useful:

http://msdn.microsoft.com/webservice...l/understw.asp

Also, .NET 2.0 has better support for web services and and security, however
I must say I haven't yet studied their potential in full when it comes to
this area of the class library. Nonetheless, support for XML encryption and
signing already exists in the library (I'm talking about version 1.1 as well
as the 2.0 betas), see for example the System.Security.Cryptography.Xml
namespace.

Hope this will give you good a starting point! Have a nice weekend, too.

--
Regards,

Mr. Jani Järvinen
C# MVP
Helsinki, Finland
ja***@removethis.dystopia.fi
http://www.saunalahti.fi/janij/

"Scott" <me@me.com> wrote in news:ek**************@TK2MSFTNGP14.phx.gbl:

Is there a way to check if the current (web service)connection is using
ssl? I'd like to be able to check for this and return an error if the
connection isn't secure. I work in a heavily regulated industry and
can't send data over a non-secure connection.

IIS can do this too. Go to the app configuration and there is an option for "Secure only"
--
Chad Z. Hower (a.k.a. Kudzu) - http://www.hower.org/Kudzu/
"Programming is an art form that fights back"

Blogs: http://www.hower.org/kudzu/blogs