473,226 Members | 1,548 Online
Bytes | Software Development & Data Engineering Community
Post Job

Home Posts Topics Members FAQ

Join Bytes to post your question to a community of 473,226 software developers and data experts.

Force SSL

Is there a way to check if the current (web service)connection is using
ssl? I'd like to be able to check for this and return an error if the
connection isn't secure. I work in a heavily regulated industry and
can't send data over a non-secure connection.

Thanks.
Scott C.
Nov 23 '05 #1
7 5223
I assume you have your web server set up with normal access
(http://mysite.com) in one IIS directory and SSL access (https://mysite.com)
in a separate directory. As long as your web service runs as an application
in only the https directory, can you not just assume you're running SSL?

Tom

"Scott" <me@me.com> wrote in message
news:ek**************@TK2MSFTNGP14.phx.gbl...
Is there a way to check if the current (web service)connection is using
ssl? I'd like to be able to check for this and return an error if the
connection isn't secure. I work in a heavily regulated industry and
can't send data over a non-secure connection.

Thanks.
Scott C.

Nov 23 '05 #2
Scott,
Is there a way to check if the current (web service)connection is using
ssl?


You can use the Context property of the web service class to read the
Request.IsSecureConnection property to test if the call came through HTTPS
(SSL). For example:

bool isSecure = Context.Request.IsSecureConnection;

Another option is to make sure the web server (or the firewall in front of
it) is configured so that it doesn't accept any connections through HTTP,
i.e. unsecured connection. You might want to do this in addition to your own
application tests to take use of the "defence in depth" principle.

Thirdly, you might wish to encrypt contents of the messages itself, which
would add even more security. However, this might be wasting CPU cycles
unnecessarily if SSL is already enough for your application.

Hope this helps.

--
Regards,

Mr. Jani Järvinen
C# MVP
Helsinki, Finland
ja***@removethis.dystopia.fi
http://www.saunalahti.fi/janij/
Nov 23 '05 #3
Jani ,

I find myself in a similar situation to Scott. I am working on a WebService
that will be running over SSL, but there is some data that is seen by my
company as particularly sensitive. You mention the possibility of
encrypting messages. Is there an easy way to force certain web service
parameters or function calls to be "encrypted"?

Thanks,

Tom

"Jani Järvinen [MVP]" <ja***@removethis.dystopia.fi> wrote in message
news:eH**************@TK2MSFTNGP15.phx.gbl...
Scott,
Is there a way to check if the current (web service)connection is using
ssl?


You can use the Context property of the web service class to read the
Request.IsSecureConnection property to test if the call came through HTTPS
(SSL). For example:

bool isSecure = Context.Request.IsSecureConnection;

Another option is to make sure the web server (or the firewall in front of
it) is configured so that it doesn't accept any connections through HTTP,
i.e. unsecured connection. You might want to do this in addition to your
own application tests to take use of the "defence in depth" principle.

Thirdly, you might wish to encrypt contents of the messages itself, which
would add even more security. However, this might be wasting CPU cycles
unnecessarily if SSL is already enough for your application.

Hope this helps.

--
Regards,

Mr. Jani Järvinen
C# MVP
Helsinki, Finland
ja***@removethis.dystopia.fi
http://www.saunalahti.fi/janij/

Nov 23 '05 #4
Jani Jdrvinen [MVP] wrote:
You can use the Context property of the web service class to read the
Request.IsSecureConnection property to test if the call came through
HTTPS (SSL). For example:


Thanks Jani, this is exactly what I was looking for.

Scott C.
Nov 23 '05 #5
Tom at SDI wrote:
I assume you have your web server set up with normal access
(http://mysite.com) in one IIS directory and SSL access
(https://mysite.com) in a separate directory. As long as your web
service runs as an application in only the https directory, can you
not just assume you're running SSL?


Goverment regulators rarely accept these types of assumptions. <g>

Scott C.
Nov 23 '05 #6
Tom,
You mention the possibility of encrypting messages. Is there an
easy way to force certain web service parameters or function
calls to be "encrypted"?


I'm not aware of any easy, single silver-bullet method or property you could
use to just "set encryption on". Instead, there are nowadays many web
services security related specifications, such as WS-Security which uses a
W3C specification "XML Encryption" underneath, among others. From the
programmer's perspective this means that there are many options to solve the
issues, too.

A full introduction to web services security would require much more than
I'm able to give you here, however I can give you some pointers. For
instance, MSDN has an article named "Web Services Security Specifications
Index Page", which probably would be interesting to you:

http://msdn.microsoft.com/webservice...rspecindex.asp

Secondly, the article "Understanding WS-Security" might be useful:

http://msdn.microsoft.com/webservice...l/understw.asp

Also, .NET 2.0 has better support for web services and and security, however
I must say I haven't yet studied their potential in full when it comes to
this area of the class library. Nonetheless, support for XML encryption and
signing already exists in the library (I'm talking about version 1.1 as well
as the 2.0 betas), see for example the System.Security.Cryptography.Xml
namespace.

Hope this will give you good a starting point! Have a nice weekend, too.

--
Regards,

Mr. Jani Järvinen
C# MVP
Helsinki, Finland
ja***@removethis.dystopia.fi
http://www.saunalahti.fi/janij/
Nov 23 '05 #7
"Scott" <me@me.com> wrote in news:ek**************@TK2MSFTNGP14.phx.gbl:
Is there a way to check if the current (web service)connection is using
ssl? I'd like to be able to check for this and return an error if the
connection isn't secure. I work in a heavily regulated industry and
can't send data over a non-secure connection.


IIS can do this too. Go to the app configuration and there is an option for "Secure only"
--
Chad Z. Hower (a.k.a. Kudzu) - http://www.hower.org/Kudzu/
"Programming is an art form that fights back"

Blogs: http://www.hower.org/kudzu/blogs
Nov 23 '05 #8

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

2
by: Matthew Sims | last post by:
Is it possible to force a download without using the readfile function? My website setup consists of my server that serves the web pages plus a high-speed file server elsewhere on the internet...
133
by: Philipp Lenssen | last post by:
Why is there no standardized and well-working way for a web-page to offer the font for download/embed it, in order to be displayed on the page? No matter what you think of the preferred font of a...
4
by: Kevin Muenzler, WB5RUE | last post by:
How do I force a browser to download a file instead of displaying it? In other words I have a page with MP3 and WMA files on it and I would like for the visitor to download the file instead of...
11
by: opt_inf_env | last post by:
Hello everybody, I have created a page consisting of two frames. The second frame is made to display "external" sites (i.e. written not by me, for example www.google.com). But I found that some...
2
by: Raquel | last post by:
FORCE APPLICATION command is valid only at the 'instance' level. Why is this so? An instance may contain many databases. So, what command do I give if I want to force applications from a particular...
2
by: Tony Do | last post by:
I have the backup command BACKUP DATABASE NEST TO C:\\databases WITH 2 BUFFERS BUFFER 1024 $ How do I force all the user to disconnect? before running the above command
3
by: Arran Pearce | last post by:
Hi, If i have a abstract class (e.g. Class1) and then i make Class2 which inherits from Class1. I have a method in Class1 which i want to force Class2 to run at some point. Is there a way i...
1
by: Mark A | last post by:
DB2 ESE 8.2.3 (FP10) for Linux We are experiencing a connection hang of 10 - 15 minutes in the following HADR and automatic client reroute scenario: 01 server is primary database 02 server is...
0
by: comp.lang.php | last post by:
I have a form that when you click the "Generate Report" submit button, it will force download a CSV file, required for this project. On the very same page you also have a "Search" submit button,...
6
by: bryanbabula | last post by:
I have a question about overriding i was wondering if anyone could help me with, or even suggesting a better/different way. I have no idea if this can even be done or not. I was wondering if there...
1
isladogs
by: isladogs | last post by:
The next online meeting of the Access Europe User Group will be on Wednesday 6 Dec 2023 starting at 18:00 UK time (6PM UTC) and finishing at about 19:15 (7.15PM). In this month's session, Mike...
0
by: veera ravala | last post by:
ServiceNow is a powerful cloud-based platform that offers a wide range of services to help organizations manage their workflows, operations, and IT services more efficiently. At its core, ServiceNow...
0
by: VivesProcSPL | last post by:
Obviously, one of the original purposes of SQL is to make data query processing easy. The language uses many English-like terms and syntax in an effort to make it easy to learn, particularly for...
3
isladogs
by: isladogs | last post by:
The next Access Europe meeting will be on Wednesday 3 Jan 2024 starting at 18:00 UK time (6PM UTC) and finishing at about 19:15 (7.15PM). For other local times, please check World Time Buddy In...
2
by: jimatqsi | last post by:
The boss wants the word "CONFIDENTIAL" overlaying certain reports. He wants it large, slanted across the page, on every page, very light gray, outlined letters, not block letters. I thought Word Art...
0
by: fareedcanada | last post by:
Hello I am trying to split number on their count. suppose i have 121314151617 (12cnt) then number should be split like 12,13,14,15,16,17 and if 11314151617 (11cnt) then should be split like...
0
by: stefan129 | last post by:
Hey forum members, I'm exploring options for SSL certificates for multiple domains. Has anyone had experience with multi-domain SSL certificates? Any recommendations on reliable providers or specific...
1
by: davi5007 | last post by:
Hi, Basically, I am trying to automate a field named TraceabilityNo into a web page from an access form. I've got the serial held in the variable strSearchString. How can I get this into the...
0
by: MeoLessi9 | last post by:
I have VirtualBox installed on Windows 11 and now I would like to install Kali on a virtual machine. However, on the official website, I see two options: "Installer images" and "Virtual machines"....

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.