In my web site i'm using Asp.net web service (using javascript) to update certain values to DB. I'm concered about the security threats. How can i secure ASP.net Ajax web service using javascript
View 6 RepliesWhen a web service is consumed from server side, the web service may be implemented in a way to check credentials of the caller. In the case of calling the web service from javascript, how to secure the service since no credentials can be passed into a javascript function becuase of the visibility in source view?
View 7 RepliesI am using ASP.Net 3.5. I have fiiled dropdown list in javascript using ajax service but unable to get its selected value in button click event on server side.
View 1 RepliesI am developing web service for my windows mobile application..! But the new requirement is the web service must be an secure..! for example : My web service name is [URL] Instead of that , client wants to [URL] How I create https web service..! I am using visual studio 2008. windows 7
View 1 RepliesI have a webservice that's behind form's authentication. The site that hosts the service also serves as a site that requires a user to log in via the login page.I have a second site that needs to be able to access the service that the first site hosts. However, when attempting to access the service, it fails because the service requires that the user is logged in.
View 1 RepliesI need advice on how to secure my WCF web service hosted in IIS. I am new to WCF and would appreciate any sample code, articles to help me restrict access to my WCF service.
I am in the process of testing and deploying a WCF service that will be available on the internet. I need to secure the web service so that only authorized clients can use the service. I need to be able to detect who the client is making the call to the service. The group I am building this service for wants to use Certificate authentication or IP address to Identify the themselves to call my web service. They do not want to use user name and password.
I have found several articles and code snippets for getting the IP address of the client and Certificate authentication. The problem I found using trying to get the IP address of the client is that since my web service his hosted behind a F5 or some type of reverse proxy I cannot get the true IP of the client. The IP that the web services get is the IP of the F5 or the reverse proxy.
For Certificate Authentication I followed the directions from the 9 simple steps to enable X.509 certificates on WCF located here
http://www.codeproject.com/KB/WCF/9StepsWCF.aspx?msg=3181718. I had a few problems using this setup for my web service. 1) To me it seemed like as long as the user presented a valid Certificate they would be able to call my web service.
2) Does Certificate Authentication work when the security mode is set to Transport? In my production environment only HTTPS traffic is allowed through. I setup a Certificate authention on my service following the steps outlined in the article. I used the SSL certificate assigned to my server for the web services. For the client outside the network the service is hosted on, I used one of the certificates I generated when i tested the code locally. I changed the authentication mode of the certificate to chain trust for both the client and the server. I was able to call the service and recieve a message. I thought that since my certificate was self generated using the makecert command that the web services would not authenticate the client for the service.
how I can secure my services to only allow a few approved clients to call call the service.
I have a web service that is set as secure via the web config:
<authentication mode="Windows" />
<authorization>
<allow roles="METWeb-Admin"/>
<deny users="*"/>
<allow users="METJoeUser;METJoeSmith"/>
</authorization>
And also in IIS 7 (Windows Server 2008) it has the following set for Authentication:
Anonymous Authentication:Disabled
ASP.NET Impersonation: Disabled
Basic Authentication Disabled
Forms Authentication: Disabled
Windows Authentication: Enabled
The anonymous site I am calling it from in IIS7 is:
Anonymous Authentication:Enabled
ASP.NET Impersonation: Disabled
Basic Authentication Disabled
Forms Authentication: Enabled
Windows Authentication: Disabled
In the Anonymous web site, I call the secure web service via:
moms.momService myMom = new moms.momService();
NetworkCredential netCred = new NetworkCredential(@"username", "password");
strStatus = myMom.createBackupDirectoryAndPrivs(sData);
Everytime I run this, it returns as Unauthorized. I have made sure this user is in the Web-Admin AD Group. I also tried adding the user as an Allow User but still unauthorized. I am pretty sure the problem lies somewhere in IIS but not sure what else to check.
BTW: For what it's worth, if I run the Anonymous site via VS2010 development on my dev box, and call the secure site using above code, it works fine. This is why I am thinking IIS on the PROD server.
I have ASMX services for my web application that I would only like available to the same application.Is there a way for the web service to only be accessible by the same application, such as relative/absolute path restrictions?
View 3 RepliesI had written a code to use webservice using scriptmanager... Everthing works fine with (IE -8,7 in xp and win server -2003) but in Win server 2008 IE -8 Javascript is not invoking the web method.
View 4 RepliesI'm trying to learn AJAX but I am having trouble getting things working. I downloaded an example app from the web that was written in C# and have got it working perfectly, the next stap was to convert it into VB but for some reason this does not work. I keep getting a "Error: 'myServices' is undefined " error message on the web page. Try as I might I cannot cure this and I know it is something so simple i'm just looking past it.
I'm trying to get some autotext functionality working but I've cut the code right down just to try and get it working, everything seems to work fine apart from the webservice call which returns the 'undefined' error. If I click the button on the web page the code behind is invoked and the webservice code is also run without problems. I just can figure out why I can't run the webservice directly from the web page.
The code
Default.aspx html/javascript
<%@ Page Language="VB" AutoEventWireup="True" CodeFile="Default.aspx.vb" Inherits="_Default" %>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head runat="server">
<title>Untitled Page</title>
[code]....
How do you secure a WCF web service when you are using the traditional "connection string in the web.config"?
I have added a WCF service to an application which uses a JQuery post and returns JSON. The request happens on the client side. The purpose of this service is to return search information while the person is typing text into a textbox.
It works well, but there is a problem because the application will be used by a number of people and I am maintaining a role based security within the applications MS SQL database. The connection string to the database is in the web.config file.
In order to run the JQuery call to the web service the user must have at least read access directly to the database. I want to allow the application to control the access, but removing all security to the WCF service opens the application up for external access by unauthorized users.
I created a number of standard WCF Services (Service Contract and Host (svc) are in separate assemblies). I fired up a Web Site in IIS to host the Services (i.e., address is [URL]). Then in my Web Site project I added the reference. I am able to call the services normally. I am needed to call some of the services client side. Not sure if I should be looking at articles calling WCF services through AJAX, JQuery, or JSON enabled WCF Services. Some of the changes I made was adding the following to the Operation Contract:
[OperationContract]
[WebInvoke(Method = "POST", UriTemplate = "SetFoo")]
void SetFoo(string Id);
Then this above the implementation of the interface:
[AspNetCompatibilityRequirements(RequirementsMode =
AspNetCompatibilityRequirementsMode.Allowed)]
Then in the service webconfig I have this (parens are angle brackets):
<serviceHostingEnvironment aspNetCompatibilityEnabled="true">
<baseAddressPrefixFilters>
<add prefix=[URL]>>
</baseAddressPrefixFilters>
</serviceHostingEnvironment>
<serviceHostingEnvironment multipleSiteBindingsEnabled="false" />
Then in the client side I attempted this:
<asp:ScriptManagerProxy ID="ScriptManagerProxy1" runat="server">
<compositeScript>
<Scripts>
<asp:ScriptReference
Path=[URL]/>
</Scripts>
</CompositeScript>
</asp:ScriptManagerProxy>
I am attempting to call the service like this in javascript: wcfservices.SetFoo(string Id); Nothing is working. If it is idea or a better solution to call JSON enable, JQuery, etc.... I am willing to make any changes.
I've searched far and wide, but can't find out why this is happening. I have a clientside javascript ajax call into a web service that works fine if both the service and the calling page are in the same directory. If I try to move the web service to another virtual directory, I get this:
Exception type: InvalidOperationException Exception message: Request format is unrecognized for URL unexpectedly ending in '/js'.
Here are the relevant code tidbits for the separate directories attempt.
aspx file:
[Code]....
CallYahooQuotesServiceMethods.js:
[Code]....
asmx file:
[Code]....
I tried this in my web.config, but it didn't work:
[Code]....
Authentication mode is Windows. If I have to impersonate to do this, I'm not sure how I'd pull it off with Javascript.
I am looking to incorporate web service into my application but am running into a problem. The following line of code in FwkComm.js document generates the following error: Microsoft JScript runtime error: 'FwkService' is undefined.
[Code]....
I have and web application and there are two dropdowns. I want to use Javascipt to populate the the second dropdown on basis of the selection of the first dropdown.
View 2 RepliesHow can I pass two variable values to a web service web method using JavaScript and a DynamicPopulateExtender?
Some background of my issue:
I have a fully working cascading drop down list accessing a database.
My parent Cascading Drop Down List is a list of countries and the child displays the relative regions i.e.: USA returns Iowa, Maryland, Oregon etc.
I also have a 3rd Drop Down List control that allows the user to select the language to display the region details i.e.: Selecting the language of Chinese will return a list of regions of the USA in Chinese (held in the database).
I now want to display the translated country name from the 3rd Drop Down List in a label on the page.
I cannot just use the text from the country drop down list as this text value remains in English. The translated value must be returned from the database.
So far, I have installed a DynamicPopulateExtender:
[Code]....
I then wrote a web method (in the Cascading Drop Down local Web Service) to return the translated country name. To do this I have had to hard code the countryID (10663) and the translationLanguageID (1331) asshown below:
[Code]....
This does return the translated country name, but the variables are hard coded!
My question is how do I pass the countryID and the translationLanguageID to the Web Method GetTranslatedCountryName() from the DynamicPopulateExtender? Or even if there is a better way to achieve my task?
I've developing an ASP.NET application that interfaces with Google Maps and retrieves marker information from a database. The marker information is split into tables in the database, where the name of the table reflects a company (e.g. CompanyA_MarkerData, CompanyB_MarkerData etc). In order to periodically update the map with new marker data, I use setTimeout in JavaScript to regularly call my 'UpdateMarkers' JavaScript function. 'UpdateMarkers' makes a call to a web service which performs the database query and returns a list of markers back to the JavaScript, which in turn updates the map.
The main issue I have with this method is that my web service requires that I pass it the name of the company so that it knows which table in the database to access. As you can imagine , this poses a security risk as anyone can pass a different company name to the web service and be able to retrieve the data from other companies, as well as their own.
In order to avoid this problem, I am restructuring my program as follows: When the system administrator creates users for my application, they can also assign a company ID to this user. The company ID is stored using the Profile object in ASP.NET. I am moving the web service code into a class with shared functions so that they can be called only within my pages (but not by anyone, like with web services). The functions will still require a company name passed to be passed to them. However, rather than the JavaScript making direct calls to these shared functions, the JavaScript will call a set of page methods (which as I understand it, are not public like web services). These page methods will then use the Profile object to retrieve the company name attached to the user currently logged in and then make a call to my shared database functions and return the info back to the JavaScript.
I think that this second method is more secure than the first, because I don't allow the client to pass different options to my code and retrieve unauthorized data. The server side code works out the parameters that need to be sent. However, I am wondering if there is a better way of doing this that I am missing out?
Scenario : I am going to access external web service [ExternalWS] using AJAX. So obviously, need to create local proxy service [LocalProxyWS] first, which in turn will access the external web service. Now, the external service webmethod [Process] basically redirects the current page on our site to their site, does some work and then return back to our site.
What I want : I want that when the user clicks the button ('Process') on our site, it should open a new window and then starts executing the request on the new window, so that I can have the page on my website to be displayed permanently (which will poll a request every 15 seconds to the external service (via local proxy) for the status).
Local Proxy service which calls external service is as follows..
[ServiceContract(Namespace = "LocalProxy")]
[AspNetCompatibilityRequirements(RequirementsMode = AspNetCompatibilityRequirementsMode.Allowed)]
public class LocalProxyToExternalService
{
[OperationContract]
public void InitiateTransaction(string amount)
Basically, I am opening a new window from the button click and then want to process the new request in that new window, so that I can show the status to the user from the current page on my website So far, it opens the new window, but doesn't transfer the request on to that, but I get an error message in firebug as follows...
We use Captcha control in a registration form that we make full client validation for all fields in JavaScript ( JQuery ) beside server validation .. I tried a lot of ways but all will write the Captcha value in JavaScript that can be accessed by anyone :( I search if is there any way that allow me validate Captcha value in client side using JQuery in secure way or it can't be done ?
View 3 RepliesI am using asp.net 3.5. I filled dropdown list in javascript using ajax service but unable to get its selected value in button click event on server side.
View 3 RepliesMy web application will be launched through existing thick client applications. When launched, an HTTP POST request will be generated including information like the userID and additional context information (basically stuff like the target user's name, birthday, etc.).
My plan for authentication is for there to be a look-up table in the database. If the username is already there, automatically login the user, but if there is no entry in the database, redirect the user to an initial login page which will be used to create that database entry.
My question is how to secure this against MITM and other security holes. How can the request generated through the thick client be on an SSL connection? Doesn't an SSL connection have to be authenticated with the username (and password) first? And if so, will the additional context information be publicly exposed until the user is logged in?
I have a browser compatibilty problem with https? I have SSL installed and is in usage. Until today morning, my https part is working well. From then, Https is shown as https(with slashed in red color) saying the page has some insecure content. I have not changed any code and suddenly i see this problem in chrome. In IE 8, i see the same problem but on every page, it shows me a popup if i should allow to opne secure and non secure or just secure. Firefox has no issues . It shows correct https without any problem. I am fed up with it searching all over. Why is this happenening for me in Chrome and IE 8.
View 3 RepliesI have a custom mini login user control that I have embedded in the top of my website which shows on every page. These pages are non-secure HTTP://. I would like to avoid having to redirect the user to a HTTPS page to perform the login but I definitely don't want to send login credentials to the server in plain text.
I am trying find a method to send the user's login credentials encrypted via https from a non-secure (http) page.
I tried to set the postbackurl for the login button to itself but in https, but the user's input is not retained and the buttonLogin_click is not fired when I set the button postbackurl property. My ASP.net web application is VB.Net framework 4.0
I am assuming this can be done because I see lots of websites where login fields are on available on every page and they are running http and I can believe they are not encrypting the login credentials.
I have an ASP.Net site using Forms authentication. One of the aspx pages loads a WinForms user control hosted in IE. That control must connect with a WCF service located in the same ASP.Net web site.How can I make the WCF service secure? Currently I have set the WCF service to use AspNetCompatibilityRequirements mode but the user control hosted in IE can't connect to the WCF service as it isn't logged in.
View 1 RepliesI have a GUI when i log in i create a cookie and it encrypt it. I am usin SSL.
I check in the Login.aspx page if the cookie is secure, which it is. but then before going to the default page it goes to the Global.ascx page.
Here in the Application_AuthenticateRequest it gets the cookie and decrypts it for the default page..
Now i know that it is getting the same cookie as all the other attributes match the one that was created in the Login.aspx page excet that the secure value is "False".
this is the case for all other pages after default. the value of the cookie.secure is false.
why is this happening as i want all the pages to be secure by SSL.
Also the pages are opening as https not http.
here is my web.config
[code]....