You are very correct! Exposing such methods is far from good practice.
As you are passing usr/pwd in plain text, it makes it very easy to grap
these strings from the soap telegram.
What you should consider is to remove the user/pwd all together as they have
nothing to do with your "business logic". Autentication and authorization are
(or should be!) distinct from business logic.
Take a look at WSE 2.0/3.0 (or WCF) to see ways to sign your soap envelopes
with Kerberois tokens, usr/pwd or X509 credentials. This makes it extremely
difficult to sniff the password as none is sent along with the message. WSE
presents out-of-the-box frameworks for signature and credentials passing in a
more secure manner than the original WS implementations.
If you insist on stickign to ASMX; yes - you could make use of SSL (https)
which encrypts the communication with a shared secret (negotiated by the SSL
protocol).
--
rgds.
/Claus Konrad
MCSD.NET (C#)
"Ing. Davide Piras" wrote:
Hi there
I've my .NET 2.0 C# WebApplication which exposes some WebMethod, I pass
tablename, username, password and I get a DataSet with some data (actually
the size of the dataset is not a problem since when there are more than 200
records I get the dataset page by page, using startindex and pagesize
parameters)...
.... everything works fine but I feel not safe since if someone sniffs the
webmethod call can call it with the same password and username and retrieve
my data as well... actually I expose Insert and Update methods as well so
someone can even write on my database, knowing username and password.
What can I do ? which are the best guidelines in this scenario ?
Is there any way to pass SOAP calls and results on a secure channel? Should
I use ssl/https or is there any other way? I think ssl can make the
comunication quite slow, don't it?
Thanks, regards, Davide.