By using this site, you agree to our updated Privacy Policy and our Terms of Use. Manage your Cookies Settings.
459,200 Members | 1,755 Online
Bytes IT Community
+ Ask a Question
Need help? Post your question and get tips & solutions from a community of 459,200 IT Pros & Developers. It's quick & easy.

Web config files and Security for Web Services

P: n/a
Hi folks,

So I have implemented a Web service which provides several Web Methods.
Before the client can use the WebMethods they must first be authenticated and
authorized i.e. they login, obtain a string 'ticket' and then must use this
ticket to make subsequent calls to the Web Methods.

Users are validated by checking to see if they exist in the web.config file
which looks like this -

<?xml version="1.0"?>
<configuration xmlns="http://schemas.microsoft.com/.NetConfiguration/v2.0">
<system.web>
<authentication mode="Forms">
<forms name="MyAuthentication">
<credentials passwordFormat="Clear">
<user name="david" password="secret" />
<user name="simon" password="delphi" />
</credentials>
</forms>
</authentication>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</configuration>

i.e. only 'david' and 'simon' can log in.

So, basically the web.config file determines who can log in. Now, this web
config file must be placed on the server yes? So if this config file can be
accessed from the outside then malicious users could get the logins and use
the Web Services, yes?

So, my question is, where do we store the web.config file on the server? Do
we simply put it in a folder with an unusual anme that no-one could possibly
guess? Or are web.config files 'hidden from view', for example if an attempt
is made to 'look at one from a browser' ?

I'm just concerned that we go to this trouble to develop a secure system and
then joe bloggs comes along and takes a peek at the web.config file and hacks
in to the system. But hopefully it is just a matter of 'hiding' the file on
the server? Or am I missing something very obvious??

Thanks for any insights. New to Web Services security here...

Best regards,
David

Aug 2 '06 #1
Share this Question
Share on Google+
6 Replies


P: n/a
Hi David,

I'm afraid i don't know a great deal about web service security (although i
think i've read somewhere that you can't use forms authentication...) but i
have seen that IIS does not serve requests for .config files - therefore a
web.config file is not going to be exposed in that way through the browser.
In the past when i have required config files (additional to my web config)
that contain sensitive information, i have named them something like
"users.config" etc.

Andrew

"David++" <Da***@discussions.microsoft.comwrote in message
news:FB**********************************@microsof t.com...
Hi folks,

So I have implemented a Web service which provides several Web Methods.
Before the client can use the WebMethods they must first be authenticated
and
authorized i.e. they login, obtain a string 'ticket' and then must use
this
ticket to make subsequent calls to the Web Methods.

Users are validated by checking to see if they exist in the web.config
file
which looks like this -

<?xml version="1.0"?>
<configuration
xmlns="http://schemas.microsoft.com/.NetConfiguration/v2.0">
<system.web>
<authentication mode="Forms">
<forms name="MyAuthentication">
<credentials passwordFormat="Clear">
<user name="david" password="secret" />
<user name="simon" password="delphi" />
</credentials>
</forms>
</authentication>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</configuration>

i.e. only 'david' and 'simon' can log in.

So, basically the web.config file determines who can log in. Now, this web
config file must be placed on the server yes? So if this config file can
be
accessed from the outside then malicious users could get the logins and
use
the Web Services, yes?

So, my question is, where do we store the web.config file on the server?
Do
we simply put it in a folder with an unusual anme that no-one could
possibly
guess? Or are web.config files 'hidden from view', for example if an
attempt
is made to 'look at one from a browser' ?

I'm just concerned that we go to this trouble to develop a secure system
and
then joe bloggs comes along and takes a peek at the web.config file and
hacks
in to the system. But hopefully it is just a matter of 'hiding' the file
on
the server? Or am I missing something very obvious??

Thanks for any insights. New to Web Services security here...

Best regards,
David

Aug 3 '06 #2

P: n/a
"Andrew Brook" wrote:
Hi David,

I'm afraid i don't know a great deal about web service security (although i
think i've read somewhere that you can't use forms authentication...) but i
have seen that IIS does not serve requests for .config files - therefore a
web.config file is not going to be exposed in that way through the browser.
In the past when i have required config files (additional to my web config)
that contain sensitive information, i have named them something like
"users.config" etc.

Andrew
Hi,

Andrew thanks for the reply. This method of using a 'token' to authenticate
a user seems to be working well for me when tested locally, still to test it
on a remote server.

I think the next challenge will be to transmit the messages I exchange over
HTTPS to encrypt them and hopefully this will make Web service secure.

Web services security is a complex task I'm discovering...

Best Regards,
David
Aug 3 '06 #3

P: n/a
Hi David,

Yes, it seems that actually getting worthwhile security involves a little
research and work. So with your system at the moment, the user submits a
username and password to some kind of login function which checks if their
un&pw are in the web.config, if they are it provides this token? Out of
interest, how do you check whether the passed username and password exist in
the web config file? Also, does the token become unusable after a certain
length of time?

just interested :)
Andrew

"David++" <Da***@discussions.microsoft.comwrote in message
news:15**********************************@microsof t.com...
"Andrew Brook" wrote:
>Hi David,

I'm afraid i don't know a great deal about web service security (although
i
think i've read somewhere that you can't use forms authentication...) but
i
have seen that IIS does not serve requests for .config files - therefore
a
web.config file is not going to be exposed in that way through the
browser.
In the past when i have required config files (additional to my web
config)
that contain sensitive information, i have named them something like
"users.config" etc.

Andrew

Hi,

Andrew thanks for the reply. This method of using a 'token' to
authenticate
a user seems to be working well for me when tested locally, still to test
it
on a remote server.

I think the next challenge will be to transmit the messages I exchange
over
HTTPS to encrypt them and hopefully this will make Web service secure.

Web services security is a complex task I'm discovering...

Best Regards,
David

Aug 3 '06 #4

P: n/a
Hi David,

If you are using .NET 2.0, you can also encrypt the configuration section
where the user information is stored.
..NET 2.0 supports encrypted configuration section out of the box.

Regards,
Pablo.

"Andrew Brook" <yk****@hotmail.comwrote in message
news:uB**************@TK2MSFTNGP02.phx.gbl...
Hi David,

Yes, it seems that actually getting worthwhile security involves a little
research and work. So with your system at the moment, the user submits a
username and password to some kind of login function which checks if their
un&pw are in the web.config, if they are it provides this token? Out of
interest, how do you check whether the passed username and password exist
in the web config file? Also, does the token become unusable after a
certain length of time?

just interested :)
Andrew

"David++" <Da***@discussions.microsoft.comwrote in message
news:15**********************************@microsof t.com...
>"Andrew Brook" wrote:
>>Hi David,

I'm afraid i don't know a great deal about web service security
(although i
think i've read somewhere that you can't use forms authentication...)
but i
have seen that IIS does not serve requests for .config files - therefore
a
web.config file is not going to be exposed in that way through the
browser.
In the past when i have required config files (additional to my web
config)
that contain sensitive information, i have named them something like
"users.config" etc.

Andrew

Hi,

Andrew thanks for the reply. This method of using a 'token' to
authenticate
a user seems to be working well for me when tested locally, still to test
it
on a remote server.

I think the next challenge will be to transmit the messages I exchange
over
HTTPS to encrypt them and hopefully this will make Web service secure.

Web services security is a complex task I'm discovering...

Best Regards,
David


Aug 3 '06 #5

P: n/a
"Pablo Cibraro [MVP]" wrote:
Hi David,

If you are using .NET 2.0, you can also encrypt the configuration section
where the user information is stored.
..NET 2.0 supports encrypted configuration section out of the box.

Regards,
Pablo.
Thanks, I'll look into that.

Best Regards,
David

Aug 4 '06 #6

P: n/a
"Andrew Brook" wrote:
Hi David,

Yes, it seems that actually getting worthwhile security involves a little
research and work. So with your system at the moment, the user submits a
username and password to some kind of login function which checks if their
un&pw are in the web.config, if they are it provides this token? Out of
interest, how do you check whether the passed username and password exist in
the web config file? Also, does the token become unusable after a certain
length of time?

just interested :)
Andrew
Hi Andrew,

The Web config file looks like this -

<?xml version="1.0"?>
<configuration xmlns="http://schemas.microsoft.com/.NetConfiguration/v2.0">
<system.web>
<authentication mode="Forms">
<forms name="MyAuthentication">
<credentials passwordFormat="Clear">
<user name="david" password="secret" />
</credentials>
</forms>
</authentication>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</configuration>

The line <authentication mode="Forms", lets us know we are using Forms
method for authentication. In the login method in the web service we have -

[WebMethod]
public string Login(string username, string password)
{
if (FormsAuthentication.Authenticate(username, password))
{
HttpCookie cookie = FormsAuthentication.GetAuthCookie(username,
false);

return cookie.Value;
}
return "";
}

The username and password are authenticated via the FormsAuthentication
class, which makes sense as we are using Forms authentication as we say in
the config file.

The returned string token is then used for every subsequent method call and
checked for validity before being able to use the methods. So we can use the
FormsAuthentication.Decrypt(strToken) to mak esure the token is valid.

Best Regards
David
Aug 4 '06 #7

This discussion thread is closed

Replies have been disabled for this discussion.