When a web service is consumed from server side, the web service may be implemented in a way to check credentials of the caller. In the case of calling the web service from javascript, how to secure the service since no credentials can be passed into a javascript function becuase of the visibility in source view?
View 7 RepliesIn my web site i'm using Asp.net web service (using javascript) to update certain values to DB. I'm concered about the security threats. How can i secure ASP.net Ajax web service using javascript
View 6 RepliesI have hosted a WCF service with windows authentocation enabled in it.Excerpts from web.config file are
<basicHttpBinding>
<binding name="NewBinding0">
<security mode="TransportCredentialOnly">
<transport clientCredentialType="Ntlm" />
[code]...
I'm integrating a product from another vendor with our existing processes.
This product interfaces with our system via an ASP.NET Web Service. As in, I need to write an ASP.NET Web Service that has the particular method names and parameters that the vendor has specified.
Simple enough, but we're wanting to migrate as much stuff as possible to WCF. I haven't used WCF much yet, but as I see it it's the replacement for ASP.NET Web Services (and other things).
Seeing as how I cannot modify the vendor's product, the only way I could write this new web service using WCF is if a WCF Service can be consumed as if it were an ASP.NET Web Service (i.e., as far as the vendor's product is concerned, it is consuming an ASP.NET Web Service).
Can WCF Services be consumed in this way?
I am developing web service for my windows mobile application..! But the new requirement is the web service must be an secure..! for example : My web service name is [URL] Instead of that , client wants to [URL] How I create https web service..! I am using visual studio 2008. windows 7
View 1 RepliesI have a webservice that's behind form's authentication. The site that hosts the service also serves as a site that requires a user to log in via the login page.I have a second site that needs to be able to access the service that the first site hosts. However, when attempting to access the service, it fails because the service requires that the user is logged in.
View 1 RepliesI need advice on how to secure my WCF web service hosted in IIS. I am new to WCF and would appreciate any sample code, articles to help me restrict access to my WCF service.
I am in the process of testing and deploying a WCF service that will be available on the internet. I need to secure the web service so that only authorized clients can use the service. I need to be able to detect who the client is making the call to the service. The group I am building this service for wants to use Certificate authentication or IP address to Identify the themselves to call my web service. They do not want to use user name and password.
I have found several articles and code snippets for getting the IP address of the client and Certificate authentication. The problem I found using trying to get the IP address of the client is that since my web service his hosted behind a F5 or some type of reverse proxy I cannot get the true IP of the client. The IP that the web services get is the IP of the F5 or the reverse proxy.
For Certificate Authentication I followed the directions from the 9 simple steps to enable X.509 certificates on WCF located here
http://www.codeproject.com/KB/WCF/9StepsWCF.aspx?msg=3181718. I had a few problems using this setup for my web service. 1) To me it seemed like as long as the user presented a valid Certificate they would be able to call my web service.
2) Does Certificate Authentication work when the security mode is set to Transport? In my production environment only HTTPS traffic is allowed through. I setup a Certificate authention on my service following the steps outlined in the article. I used the SSL certificate assigned to my server for the web services. For the client outside the network the service is hosted on, I used one of the certificates I generated when i tested the code locally. I changed the authentication mode of the certificate to chain trust for both the client and the server. I was able to call the service and recieve a message. I thought that since my certificate was self generated using the makecert command that the web services would not authenticate the client for the service.
how I can secure my services to only allow a few approved clients to call call the service.
I have a web service that is set as secure via the web config:
<authentication mode="Windows" />
<authorization>
<allow roles="METWeb-Admin"/>
<deny users="*"/>
<allow users="METJoeUser;METJoeSmith"/>
</authorization>
And also in IIS 7 (Windows Server 2008) it has the following set for Authentication:
Anonymous Authentication:Disabled
ASP.NET Impersonation: Disabled
Basic Authentication Disabled
Forms Authentication: Disabled
Windows Authentication: Enabled
The anonymous site I am calling it from in IIS7 is:
Anonymous Authentication:Enabled
ASP.NET Impersonation: Disabled
Basic Authentication Disabled
Forms Authentication: Enabled
Windows Authentication: Disabled
In the Anonymous web site, I call the secure web service via:
moms.momService myMom = new moms.momService();
NetworkCredential netCred = new NetworkCredential(@"username", "password");
strStatus = myMom.createBackupDirectoryAndPrivs(sData);
Everytime I run this, it returns as Unauthorized. I have made sure this user is in the Web-Admin AD Group. I also tried adding the user as an Allow User but still unauthorized. I am pretty sure the problem lies somewhere in IIS but not sure what else to check.
BTW: For what it's worth, if I run the Anonymous site via VS2010 development on my dev box, and call the secure site using above code, it works fine. This is why I am thinking IIS on the PROD server.
I have ASMX services for my web application that I would only like available to the same application.Is there a way for the web service to only be accessible by the same application, such as relative/absolute path restrictions?
View 3 RepliesHow do you secure a WCF web service when you are using the traditional "connection string in the web.config"?
I have added a WCF service to an application which uses a JQuery post and returns JSON. The request happens on the client side. The purpose of this service is to return search information while the person is typing text into a textbox.
It works well, but there is a problem because the application will be used by a number of people and I am maintaining a role based security within the applications MS SQL database. The connection string to the database is in the web.config file.
In order to run the JQuery call to the web service the user must have at least read access directly to the database. I want to allow the application to control the access, but removing all security to the WCF service opens the application up for external access by unauthorized users.
My web application will be launched through existing thick client applications. When launched, an HTTP POST request will be generated including information like the userID and additional context information (basically stuff like the target user's name, birthday, etc.).
My plan for authentication is for there to be a look-up table in the database. If the username is already there, automatically login the user, but if there is no entry in the database, redirect the user to an initial login page which will be used to create that database entry.
My question is how to secure this against MITM and other security holes. How can the request generated through the thick client be on an SSL connection? Doesn't an SSL connection have to be authenticated with the username (and password) first? And if so, will the additional context information be publicly exposed until the user is logged in?
I have a browser compatibilty problem with https? I have SSL installed and is in usage. Until today morning, my https part is working well. From then, Https is shown as https(with slashed in red color) saying the page has some insecure content. I have not changed any code and suddenly i see this problem in chrome. In IE 8, i see the same problem but on every page, it shows me a popup if i should allow to opne secure and non secure or just secure. Firefox has no issues . It shows correct https without any problem. I am fed up with it searching all over. Why is this happenening for me in Chrome and IE 8.
View 3 RepliesI have a custom mini login user control that I have embedded in the top of my website which shows on every page. These pages are non-secure HTTP://. I would like to avoid having to redirect the user to a HTTPS page to perform the login but I definitely don't want to send login credentials to the server in plain text.
I am trying find a method to send the user's login credentials encrypted via https from a non-secure (http) page.
I tried to set the postbackurl for the login button to itself but in https, but the user's input is not retained and the buttonLogin_click is not fired when I set the button postbackurl property. My ASP.net web application is VB.Net framework 4.0
I am assuming this can be done because I see lots of websites where login fields are on available on every page and they are running http and I can believe they are not encrypting the login credentials.
I have an ASP.Net site using Forms authentication. One of the aspx pages loads a WinForms user control hosted in IE. That control must connect with a WCF service located in the same ASP.Net web site.How can I make the WCF service secure? Currently I have set the WCF service to use AspNetCompatibilityRequirements mode but the user control hosted in IE can't connect to the WCF service as it isn't logged in.
View 1 RepliesI was looking for Good/Simple webservice which can be consumed using asp.net but i can't a find a free webservice that can be used with asp.net..
View 1 Replies my team is building a game in flash to be embeded in a asp.net application.
When the game is over the player have the chance to type his name to save his score. This is done using web services called from flash. The webservice receives the name and score.
Since the webservice is publicly available how can I make it only callable from my flash given the following conditions:
The .swf is hosted by the same asp.net application There are two domains that can access the same application (I have run previously into cross domain issues). Using SSL is not an option. The webservice has to be consumed by the .swf file.
I'd like to modify the value of my Sliding Expiration time span based on how much memory is available. If the site's traffic is high at any point in time, more data will be added to the cache than during quieter periods. During those quiet periods I can increase the sliding expiration time span, thus allowing data to be stored longer. But when the site is busy I need to free up memory so I'm happier with a shorter time span.
So I guess my questions are as follows: Is it possible for me to find out how much memory is being consumed by the items I've added to HttpRuntime.Cache? If so, how? Does this sound like a realistic solution to the problem I've described?
I need to write a webservice to be consumed by an application. The application will read the WSDL and provide me with the input output fields that I can utilise. The webservice output should be an array of string values as the output. I have taken a dataset and can output that as XML but I need to provide a description in WSDL what the output format will be and I cannot seems to get my head around to that. What I need is something similar to[URL] but do not how to write the WSDL to give me a clear input and output structure in the definition.
View 1 RepliesI have a GUI when i log in i create a cookie and it encrypt it. I am usin SSL.
I check in the Login.aspx page if the cookie is secure, which it is. but then before going to the default page it goes to the Global.ascx page.
Here in the Application_AuthenticateRequest it gets the cookie and decrypts it for the default page..
Now i know that it is getting the same cookie as all the other attributes match the one that was created in the Login.aspx page excet that the secure value is "False".
this is the case for all other pages after default. the value of the cookie.secure is false.
why is this happening as i want all the pages to be secure by SSL.
Also the pages are opening as https not http.
here is my web.config
[code]....
After logging to the mvc site using a secure connection (https), calling actions using https connection show up with the user logged in but calling actions using http it bahaves as if user didn't log on. Since I need to use a virtual directory for https connections(and can't use that directory for http connection) Https links start with: [URL]
View 1 RepliesI'm working on a legacy web application - frames and a mixture of html, asp and aspx. The entire site is https. For some strange reason when I hit a specific page I get the magic message that says the Page contains both secure and nonsecure items. (IE obviously doesn't want to tell me what those resources are) I have checked the page that's being loaded and there are absolutely no http://... links - everything is relative links.
I have fired up fiddler and checked what's being requested - everything looks fine. I am completely at wit's end here. I have absolutely no idea why I'm getting this message, but it's completely screwing with the site.
I have web service with reference of BO library in same application. My BO contains classes with some private members and respective public properties.
All of these private members had default values in a perticular class say Contact.cs.Now when I consume this webservice into Windows Application, these already assinged values to BO does not persists in the Windows Application code.
Is there any limitation such that you can serialize the default values assosiated with private members ?
Even I have tried to assign these values directly to the properties in a constructor of Contact class.
In have created a Web Service which needs to be consumed by multiple environment (.Net,Java,Python..etc) hence ,I have used List<list> as an outparameter (with "OUT" keyword )in my Web service to return value. My question is Will all the application consuming my webserice able to get List as return value ? if not can anyone help me out in getting return values from asp.net webserive that will be consumed by multiple environment
eg.
bool WS_GetUser(string Name,out List<ICWS.InstanceType> instype);
I have a internal site used by employees of my company that uses ASP.Net 3.5, Ajax and the Ajax Control Toolkit and is secured using https and requires a client certificate to gain access to the site. We are getting the following error when updating drop down lists on the very first page of an application wizard we have built. The page uses an UpdatePanel with PartialPagePostbacks enabled.
Sys.WebForms.PageRequestManagerServerErrorException:
An unknown error occurred while processing the request on the server. The status code returned from the server was: 413
ScriptResource.axd Line: 5
Code: 0 Char: 62099.
I have increased the maxRequestLength value to 8192Kb (which is way overkill), the readAheadBuffer to 4096Kb, set all the timeouts I can find, and this problem keeps showing up for my users. I can reproduce the error if I let the initial page site idle for 2-3 minutes before doing the partial page postback to move to the next segment. I have been chasing this now for a couple of weeks, and keep coming back to the same sites with the same answers.
I have a 2 part question for web user controls: 1. I want to have an event fire in my user control, but have it be consumed by the parent page, like:
<asp1:Object id="objectMain" runat="server" OnClick="Click" />
Is it possible to do this? Or do I need to make a server control for this functionality? I have it being able to be set in the Page_Init, but I'd like to make it as similar to actual controls as possible. Also, if it is possible to access via the Events section under Properties, that would be good and 2. I am trying to register the web user control as an AsyncPostbackTrigger for another UpdatePanel. With the previous question in mind, is it also possible to set this via the GUI, or does this need to be set programmatically as well?