I have a webservice that's behind form's authentication. The site that hosts the service also serves as a site that requires a user to log in via the login page.I have a second site that needs to be able to access the service that the first site hosts. However, when attempting to access the service, it fails because the service requires that the user is logged in.
View 1 RepliesI am developing web service for my windows mobile application..! But the new requirement is the web service must be an secure..! for example : My web service name is [URL] Instead of that , client wants to [URL] How I create https web service..! I am using visual studio 2008. windows 7
View 1 RepliesWhen a web service is consumed from server side, the web service may be implemented in a way to check credentials of the caller. In the case of calling the web service from javascript, how to secure the service since no credentials can be passed into a javascript function becuase of the visibility in source view?
View 7 RepliesIn my web site i'm using Asp.net web service (using javascript) to update certain values to DB. I'm concered about the security threats. How can i secure ASP.net Ajax web service using javascript
View 6 RepliesI need advice on how to secure my WCF web service hosted in IIS. I am new to WCF and would appreciate any sample code, articles to help me restrict access to my WCF service.
I am in the process of testing and deploying a WCF service that will be available on the internet. I need to secure the web service so that only authorized clients can use the service. I need to be able to detect who the client is making the call to the service. The group I am building this service for wants to use Certificate authentication or IP address to Identify the themselves to call my web service. They do not want to use user name and password.
I have found several articles and code snippets for getting the IP address of the client and Certificate authentication. The problem I found using trying to get the IP address of the client is that since my web service his hosted behind a F5 or some type of reverse proxy I cannot get the true IP of the client. The IP that the web services get is the IP of the F5 or the reverse proxy.
For Certificate Authentication I followed the directions from the 9 simple steps to enable X.509 certificates on WCF located here
http://www.codeproject.com/KB/WCF/9StepsWCF.aspx?msg=3181718. I had a few problems using this setup for my web service. 1) To me it seemed like as long as the user presented a valid Certificate they would be able to call my web service.
2) Does Certificate Authentication work when the security mode is set to Transport? In my production environment only HTTPS traffic is allowed through. I setup a Certificate authention on my service following the steps outlined in the article. I used the SSL certificate assigned to my server for the web services. For the client outside the network the service is hosted on, I used one of the certificates I generated when i tested the code locally. I changed the authentication mode of the certificate to chain trust for both the client and the server. I was able to call the service and recieve a message. I thought that since my certificate was self generated using the makecert command that the web services would not authenticate the client for the service.
how I can secure my services to only allow a few approved clients to call call the service.
I have a web service that is set as secure via the web config:
<authentication mode="Windows" />
<authorization>
<allow roles="METWeb-Admin"/>
<deny users="*"/>
<allow users="METJoeUser;METJoeSmith"/>
</authorization>
And also in IIS 7 (Windows Server 2008) it has the following set for Authentication:
Anonymous Authentication:Disabled
ASP.NET Impersonation: Disabled
Basic Authentication Disabled
Forms Authentication: Disabled
Windows Authentication: Enabled
The anonymous site I am calling it from in IIS7 is:
Anonymous Authentication:Enabled
ASP.NET Impersonation: Disabled
Basic Authentication Disabled
Forms Authentication: Enabled
Windows Authentication: Disabled
In the Anonymous web site, I call the secure web service via:
moms.momService myMom = new moms.momService();
NetworkCredential netCred = new NetworkCredential(@"username", "password");
strStatus = myMom.createBackupDirectoryAndPrivs(sData);
Everytime I run this, it returns as Unauthorized. I have made sure this user is in the Web-Admin AD Group. I also tried adding the user as an Allow User but still unauthorized. I am pretty sure the problem lies somewhere in IIS but not sure what else to check.
BTW: For what it's worth, if I run the Anonymous site via VS2010 development on my dev box, and call the secure site using above code, it works fine. This is why I am thinking IIS on the PROD server.
I have ASMX services for my web application that I would only like available to the same application.Is there a way for the web service to only be accessible by the same application, such as relative/absolute path restrictions?
View 3 RepliesI am writing two ASP.NET apps. One is a web service that provides xml data and the other is a web client that will use the service to display and manipulate data. I would like for the web service to do the membership authentication and authorization. Is there any way to simply point the login controls in my client application to the web service instead of to a database. I assume I would have to provide the necesarry methods in my web service interface, which would then use the membership provider database I created and pass the results back through to the client.
Is this possible? I have seen many articles on security provisioin from a web service but none has really been what I am looking for. I was hoping that, since my service and my client are both written in ASP.NET, there might be some built functionality that would benefit me.
How do you secure a WCF web service when you are using the traditional "connection string in the web.config"?
I have added a WCF service to an application which uses a JQuery post and returns JSON. The request happens on the client side. The purpose of this service is to return search information while the person is typing text into a textbox.
It works well, but there is a problem because the application will be used by a number of people and I am maintaining a role based security within the applications MS SQL database. The connection string to the database is in the web.config file.
In order to run the JQuery call to the web service the user must have at least read access directly to the database. I want to allow the application to control the access, but removing all security to the WCF service opens the application up for external access by unauthorized users.
I am invoking a WCF web service (.NET 4.0) via jQuery $.ajax() from an ASP.NET page. How can I secure the WCF service such that only authenticated ASP.NET users can invoke the service's methods? Do I need to imperatively check the forms authentication cookie manually in each service method, or is there a more declarative approach?
View 1 RepliesWe've got some WCF services we're hosting via IIS. The application in general uses Forms Authentication, and we'd like to continue making that available for web service clients. We just have a <authorization><deny users="?"> in our web.config and some authentication/redirection goodness that gets everything done.
The problem is we'd like for users to be able to access the metadata for the services without authentication. Can they visit /services/v1/ArtifactService.svc?wsdl anonymously and yet still require authentication for /services/v1/ArtifactService.svc/rest/GetArtifacts?studyId=123? If so, I can't figure out the right incantation in the configuration.
The best I can think of is to set an absolute URL in the metadata service behavior, but then I have to doctor the path on install anywhere we deploy. (<serviceMetadata httpGetEnabled="true" httpGetUrl=[URL]
i have one web service how can i give access to that web service to many user(with secure method). Now i am checking url and only doing for one site. So what should i do.
View 1 RepliesMy web application will be launched through existing thick client applications. When launched, an HTTP POST request will be generated including information like the userID and additional context information (basically stuff like the target user's name, birthday, etc.).
My plan for authentication is for there to be a look-up table in the database. If the username is already there, automatically login the user, but if there is no entry in the database, redirect the user to an initial login page which will be used to create that database entry.
My question is how to secure this against MITM and other security holes. How can the request generated through the thick client be on an SSL connection? Doesn't an SSL connection have to be authenticated with the username (and password) first? And if so, will the additional context information be publicly exposed until the user is logged in?
I have a browser compatibilty problem with https? I have SSL installed and is in usage. Until today morning, my https part is working well. From then, Https is shown as https(with slashed in red color) saying the page has some insecure content. I have not changed any code and suddenly i see this problem in chrome. In IE 8, i see the same problem but on every page, it shows me a popup if i should allow to opne secure and non secure or just secure. Firefox has no issues . It shows correct https without any problem. I am fed up with it searching all over. Why is this happenening for me in Chrome and IE 8.
View 3 RepliesI have a custom mini login user control that I have embedded in the top of my website which shows on every page. These pages are non-secure HTTP://. I would like to avoid having to redirect the user to a HTTPS page to perform the login but I definitely don't want to send login credentials to the server in plain text.
I am trying find a method to send the user's login credentials encrypted via https from a non-secure (http) page.
I tried to set the postbackurl for the login button to itself but in https, but the user's input is not retained and the buttonLogin_click is not fired when I set the button postbackurl property. My ASP.net web application is VB.Net framework 4.0
I am assuming this can be done because I see lots of websites where login fields are on available on every page and they are running http and I can believe they are not encrypting the login credentials.
I have an ASP.Net site using Forms authentication. One of the aspx pages loads a WinForms user control hosted in IE. That control must connect with a WCF service located in the same ASP.Net web site.How can I make the WCF service secure? Currently I have set the WCF service to use AspNetCompatibilityRequirements mode but the user control hosted in IE can't connect to the WCF service as it isn't logged in.
View 1 RepliesI am new to Web services and .NET. I have to authenticate a web service that is being accessed using http post. I tried putting a custom soap header and sending it to the service and checking the header in service but the header object is always null in the service.also if i put the user and password options in http headers how can i validate them on the server ? Client code:
private void button1_Click(object sender, EventArgs e)
{
HttpWebRequest request;
[code]...
I have a GUI when i log in i create a cookie and it encrypt it. I am usin SSL.
I check in the Login.aspx page if the cookie is secure, which it is. but then before going to the default page it goes to the Global.ascx page.
Here in the Application_AuthenticateRequest it gets the cookie and decrypts it for the default page..
Now i know that it is getting the same cookie as all the other attributes match the one that was created in the Login.aspx page excet that the secure value is "False".
this is the case for all other pages after default. the value of the cookie.secure is false.
why is this happening as i want all the pages to be secure by SSL.
Also the pages are opening as https not http.
here is my web.config
[code]....
After logging to the mvc site using a secure connection (https), calling actions using https connection show up with the user logged in but calling actions using http it bahaves as if user didn't log on. Since I need to use a virtual directory for https connections(and can't use that directory for http connection) Https links start with: [URL]
View 1 RepliesI'm working on a legacy web application - frames and a mixture of html, asp and aspx. The entire site is https. For some strange reason when I hit a specific page I get the magic message that says the Page contains both secure and nonsecure items. (IE obviously doesn't want to tell me what those resources are) I have checked the page that's being loaded and there are absolutely no http://... links - everything is relative links.
I have fired up fiddler and checked what's being requested - everything looks fine. I am completely at wit's end here. I have absolutely no idea why I'm getting this message, but it's completely screwing with the site.
how to publish a service with authentication
View 2 RepliesI have created a WCF service that will serve as authentication service for Silverlight client.The problem is that when I make a call to FormsAuthentication.SetAuthCookie in the Login method below, I get a null reference exception. I am following the 'Securing Applications Built on Silverlight and WCF' (http://www.componentart.com/community/blogs/milos/archive/2009/05/07/securing-applications-built-on-silverlight-and-wcf.aspx)
[Code]....
I want to create a web service that can authenticate user from my application. I will be sending user name and password from my app to the web service and that will deny or accept the user. I want to use form authentication using sql server. that this web service can be used by other team in my office so that they can just call the web service and the user will be authenticated.
Also, is it possible to use both form and windows authentication in my web service and authenticate the user both ways.
I am using .NET roles and membership model to manage user accounts in my system back-end.
If the request is come from within my web-app, I can authenticate through form.
But if the user is requesting from else where, maybe their own apps, how to I do authentication?
attach username and password (GET/POST) and then secure the line by SSL? is that what I should do?
By default web service is enable for windows authentication. But if we want to expose our service to public domain, then I guess we have to use some specific credential for web service authentication. Can anyone tell me how to set those credential at service side and validate it for client and how the client will send those credentials?
View 1 Replies