473,839 Members | 1,438 Online
Bytes | Software Development & Data Engineering Community
+ Post

Home Posts Topics Members FAQ

Securing web service

Hi

How can I make sure that no one else can call and receive data from my web
methods?

Thanks

Regards
Nov 21 '05 #1
6 2424
Turn the server off.

"John" <jo**@nospam.in fovis.co.uk> wrote in message
news:#s******** *****@tk2msftng p13.phx.gbl...
Hi

How can I make sure that no one else can call and receive data from my web
methods?

Thanks

Regards

Nov 21 '05 #2
That was a nice joke. LOL.

Well, I assume that you don't want to give access to your webservice to the
unauthorized users.

1.Use sessions in your web methods in application layer
2.Use SSL in transport layer

More can be found under
http://msdn.microsoft.com/library/de...SecNetch10.asp
http://msdn.microsoft.com/library/de...OAPHeaders.asp

Regards,
R.Balaji
"Dale" <da************ @msndotcomNot.N et> wrote in message
news:ua******** ******@TK2MSFTN GP10.phx.gbl...
Turn the server off.

"John" <jo**@nospam.in fovis.co.uk> wrote in message
news:#s******** *****@tk2msftng p13.phx.gbl...
Hi

How can I make sure that no one else can call and receive data from my web methods?

Thanks

Regards


Nov 21 '05 #3
You could only send the wsdl defining your service to the people who are
entitled to use it, i.e. Don't publish the WSDL which would include endpoint
details etc.

Additionally you could look at implementing WS-Security frim MS. This would
validate any user who tried to use your service. The implementation is very
straightforward ..
Search for "WS-Security Authentication and Digital Signatures with Web
Services Enhancements" in msdn.
"John" <jo**@nospam.in fovis.co.uk> wrote in message
news:%2******** *******@tk2msft ngp13.phx.gbl.. .
Hi

How can I make sure that no one else can call and receive data from my web
methods?

Thanks

Regards

Nov 21 '05 #4
I've always put a username / password params in each of my web methods. I
then validate the user on each method call, and THEN do the real work of the
web method.

You can authenticate that username / password against a hardcoded value, a
database value, or a web.config value.

Michael

"John" <jo**@nospam.in fovis.co.uk> wrote in message
news:%2******** *******@tk2msft ngp13.phx.gbl.. .
Hi

How can I make sure that no one else can call and receive data from my web
methods?

Thanks

Regards

Nov 21 '05 #5
John wrote:
How can I make sure that no one else can call and receive data
from my web methods?


Rather than hardcoding security logic into your applications
(as described in separate answers in this thread) you can use
a separate SOAP Firewall that allows you to

- integrate security transparently (i.e. without modifying
application code) even in multi-vendor deployments

- manage your security policies centrally, using a professional
admin console GUI

You may want to take a look at Xtradyne's WS-DBC (Domain Boundary
Controller), which delivers comprehensive security and enterprise-
grade performance. See http://www.xtradyne.com for more info.

Regards, Gerald.
--
Dr. Gerald Brose mailto:br***@xt radyne.com
Xtradyne Technologies http://www.xtradyne.com
Schoenhauser Allee 6-7, Phone: +49-30-440 306-27
D-10119 Berlin, Germany Fax : +49-30-440 306-78
Nov 21 '05 #6
Your username/password can be viewed by attacker, if your transport is HTTP.
Then he can do something else after obtain username/password. He can also
changed the request message with know what's the meaning of original message,
withoud detected by your web service. Best way is to go with SSL using client
certificate as security token, to encrypt and sign message. search WSE in
MSDN.

"Michael Pearson" wrote:
I've always put a username / password params in each of my web methods. I
then validate the user on each method call, and THEN do the real work of the
web method.

You can authenticate that username / password against a hardcoded value, a
database value, or a web.config value.

Michael

"John" <jo**@nospam.in fovis.co.uk> wrote in message
news:%2******** *******@tk2msft ngp13.phx.gbl.. .
Hi

How can I make sure that no one else can call and receive data from my web
methods?

Thanks

Regards


Nov 21 '05 #7

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

1
1474
by: Bruno Desthuilliers | last post by:
Hi everyone ! Could someone point me to infos about securing python for use as CGI or mod_python for a shared hosting environnement ? I searched google, but did not find anything specific :( I'm not an admin myself, but I try to convince my hosting admins to install Python. For now, their answser is that they don't know how to secure this, and have not time to learn how to do it. (NB : this is a
0
1148
by: RamseytheScot | last post by:
At the moment we have a httphandler. This handler connects to services and redirect messages to this service. To use this service you have to log on using a Username and Password. This Username and password are saved in the WMI. This by it self is a not very secure thing. Any idear of saving these username and passwords in a more secure fasion, without hard coding them. We are running IIS 5 on Win2000 maybe even Win2003 when we go into...
2
1613
by: James | last post by:
What's the best way of securing online databases and web services? At present I am using a database password, which of course is not hard-coded into the web service, but this means re-submitting it with every function call from my windows client. Any alternatives?
11
3444
by: Wm. Scott Miller | last post by:
Hello all! We are building applications here and have hashing algorithms to secure secrets (e.g passwords) by producing one way hashes. Now, I've read alot and I've followed most of the advice that made sense. One comment I've seen alot about is "securing the hashing routine" but no-one explains how to accomplish this. So how do I secure my hashing routine? Do I use code access security, role based security, ACLs, etc or combination?...
1
1445
by: Scott McChesney | last post by:
Folks - We are running around and around here on a project we're developing, and I'm getting to the point that I don't know what I do and don't know. So I need some assistance. We are developing a web service that connects to an external LDAP server to validate a username/password that the user enters from a login page. Right now, we're concerned about interaction with an ASP.NET website, but this web service will also be used by...
1
2696
by: The Fox | last post by:
How to prevent user to add web reference to my web services? Can I add password to web services so that only the users who know the password can add a web reference? Thanks in advance.
0
963
by: David Tandberg-Johansen | last post by:
Hi! First of all, I am kind of a newbie. I am planning an project where I gonna use an web service and a desktop-client, but I have stumbled over a problem. The IIS server that i am planning to use in my project serves the company website. The website runs on default port 80 and can be accessed by anyone, but I don't want the service to be public.
4
1390
by: KJ | last post by:
Hello All, I have to secure my first real B2B web service. Could you please provide some guidance as to which method of security I should use. One caveat is that we will not be using SSL on the server side as per the networking department. Windows authentication is also probably not an option, as this web service will be interacting between two separately located companies. I have read a little bit about passing credentials in SOAP...
2
1500
by: The Big Fat Sloppy Pig! | last post by:
x-no-archive: yes Hi All: I'm sort of "new" to doing this so I was wondering if anyone can offer some additional insight/suggestions. I've created a web-service that will be receiving some customer-critical information. I've written both the client application and the web-service. We need to make sure the data is "non-translatable" as much as possible.
4
323
by: =?Utf-8?B?aGlsZXlq?= | last post by:
Hi, I'm developing a web service that needs to communicate with a custom application on an intranet. There is also a configuration utility which may be run on a different server machine for setting up and altering parameters on the service. This configuration web application may be browsed to via intranet or internet. This is the first work I've done with web services, so sorry for any incorrect terminology or nonsense statements.
0
9856
marktang
by: marktang | last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However, people are often confused as to whether an ONU can Work As a Router. In this blog post, we’ll explore What is ONU, What Is Router, ONU & Router’s main usage, and What is the difference between ONU and Router. Let’s take a closer look ! Part I. Meaning of...
0
10914
Oralloy
by: Oralloy | last post by:
Hello folks, I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>". The problem is that using the GNU compilers, it seems that the internal comparison operator "<=>" tries to promote arguments from unsigned to signed. This is as boiled down as I can make it. Here is my compilation command: g++-12 -std=c++20 -Wnarrowing bit_field.cpp Here is the code in...
0
10299
tracyyun
by: tracyyun | last post by:
Dear forum friends, With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each protocol has its own unique characteristics and advantages, but as a user who is planning to build a smart home system, I am a bit confused by the choice of these technologies. I'm particularly interested in Zigbee because I've heard it does some...
0
9434
agi2029
by: agi2029 | last post by:
Let's talk about the concept of autonomous AI software engineers and no-code agents. These AIs are designed to manage the entire lifecycle of a software development project—planning, coding, testing, and deployment—without human intervention. Imagine an AI that can take a project description, break it down, write the code, debug it, and then launch it, all on its own.... Now, this would greatly impact the work of software developers. The idea...
1
7834
isladogs
by: isladogs | last post by:
The next Access Europe User Group meeting will be on Wednesday 1 May 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM). In this session, we are pleased to welcome a new presenter, Adolph Dupré who will be discussing some powerful techniques for using class modules. He will explain when you may want to use classes instead of User Defined Types (UDT). For example, to manage the data in unbound forms. Adolph will...
0
5872
by: adsilva | last post by:
A Windows Forms form does not have the event Unload, like VB6. What one acts like?
1
4495
by: 6302768590 | last post by:
Hai team i want code for transfer the data from one system to another through IP address by using C# our system has to for every 5mins then we have to update the data what the data is updated we have to send another system
2
4071
muto222
by: muto222 | last post by:
How can i add a mobile payment intergratation into php mysql website.
3
3136
bsmnconsultancy
by: bsmnconsultancy | last post by:
In today's digital era, a well-designed website is crucial for businesses looking to succeed. Whether you're a small business owner or a large corporation in Toronto, having a strong online presence can significantly impact your brand's success. BSMN Consultancy, a leader in Website Development in Toronto offers valuable insights into creating effective websites that not only look great but also perform exceptionally well. In this comprehensive...

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.