Web Service Security

Hot Topic

C# CodeCompiler errors
Network Programming
Using default credential for sending message with SmtpClient
Which type can store blob of Oracle
Exporting JPEG images to specific DPI
Adding Reference to ObjectSpaces.dll
Beta2 Documentation
RSS & ATOM in ASP.NET
VSA obsolete in FW2.0?
How to design a secure online payment page that supports multiple merchant accounts

.NET Development

connecting using localhost
DateField script ASP .NET
How does the CLR get loaded?
Delegates, function pointers, and evil unmanaged code that should die
NetFileEnum Issue on Windows Server 2003 - Urgent
TcpListener
AccessViolationException when client is terminated
C# CodeCompiler errors
'System.TypeLoadException' -- PLEASE HELP
Can't save multiple authors to topic

Web Service Security

I was wondering, how would I secure a web service I have heard about WSE, however I do not understand it completly. Can someone point me to a tutorial about WSE or some other sort of way to secure my webservice

I want the client to be able to use the username and password pair to login to the client AND be able to access the data on the webservices. How do other companies secure their web services so that certain individuals can access web methods and certain ones can't

Thanks!

Answer this question

Web Service Security

  • Sahil Malik

    Please also refer to the following MSDN documentation and guidelines:
       http://msdn.microsoft.com/library/default.asp url=/library/en-us/dnnetsec/html/THCMCh12.asp

    Daniel Roth

  • JeffSchwartz1

    <caveat>I'm going to make a few assumptions here, so if your architecture doesn't match, then this solution may not be a good fit for you.</caveat>

    One of the easiets ways I've found to secure web services is through Windows authentication.  If the client consuming the web service is a WinForms client, or an ASP.Net page that is operating within Windows Authentication itself, then you are all set.  Here's all you have to do:

    1) Set up your web service to use Windows Authentication.  In IIS, make sure that anonymous access is turned off for your web service application.  Then in the web.config for your web service, ensure the following settings:

    <authentication mode="Windows" />
    <identity impersonate="true" />

    2) Add code to your client app to send credentials.  Here's a sample:

    Service1 svc = new Service1();
    svc.PreAuthenticate =     true;
    svc.Credentials = System.Net.CredentialCache.DefaultCredentials;
     


    Now you can secure your webservice using ACLs (just like you would a network share), and the user doesn't have to supply new credentials (single sign-on).

    Again, unless your client app has access to valid credentials, this won't work very well.  You can create a set of credentials (see the System.Net.NetworkCredential class) by prompting the user, but then you lose the single sign-on capability.

    As for WSE Security, I found this article on security in WSE 2.0: http://msdn.microsoft.com/library/default.asp url=/library/en-us/dnwse/html/wssecdrill.asp.  I had started to use WS-Security, but when I found out how easy it was to use Windows authentication, I decided to go that route.

    Cheers,
    Todd
  • Web Service Security
Answer this question