Solved

How to secure (ASP.NET) Web Service Authorization

Posted on 2010-08-25
4
649 Views
Last Modified: 2012-06-27
I'm building a web service with many methods, some of which are user specific and require I authorize the user. I found these articles on using soap headers to pass login information:

Since I don't want to pass the username / password in clear text, the first approach seems necessary to secure the login. But I was wondering if that's necessary. Is there any way to call a web service using SSL (or force a client to use SSL)? If that was possible, I wouldn't need to do the round trip with passing a encryption key / token to the client first.

Thanks in advance.
0
Comment
Question by:ZekeLA
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
4 Comments
 
LVL 1

Author Comment

by:ZekeLA
ID: 33526270
I think the second link addressed my security issue but maybe you know the answers to my follow up questions. Accordign the msdn article, SSL can be used only if using Windows authentication. Since our users aren't Windows users, it sounds like I'll have to go with custom soap headers.

Does that sound correct to you?

Secondly, are there any usual practices about encrypting the soap header information? It looks like you need to get a token and then encrypt it. But for security, the token should expire at some point. Is there a rule of thumb as to how long the token should survive?

Thanks.
0
 
LVL 18

Expert Comment

by:Anil Golamari
ID: 33526393
http://msdn.microsoft.com/en-us/library/ff649205.aspx ( to use ssl in web apps)

http://www.svendens.com/flex/soap-headers-in-flex-and-ws-security/ (regarding security token)

Hope these links shade some light on your questions.

Hope it helps you.

0
 
LVL 1

Accepted Solution

by:
ZekeLA earned 0 total points
ID: 33536876
0

Featured Post

Salesforce Made Easy to Use

On-screen guidance at the moment of need enables you & your employees to focus on the core, you can now boost your adoption rates swiftly and simply with one easy tool.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Here I am going to explain creating proxies at runtime for WCF Service. So basically we use to generate proxies using Add Service Reference and then giving the Url of the WCF service then generate proxy files at client side. Ok, what if something ge…
Real-time is more about the business, not the technology. In day-to-day life, to make real-time decisions like buying or investing, business needs the latest information(e.g. Gold Rate/Stock Rate). Unlike traditional days, you need not wait for a fe…
In this video we outline the Physical Segments view of NetCrunch network monitor. By following this brief how-to video, you will be able to learn how NetCrunch visualizes your network, how granular is the information collected, as well as where to f…
Michael from AdRem Software outlines event notifications and Automatic Corrective Actions in network monitoring. Automatic Corrective Actions are scripts, which can automatically run upon discovery of a certain undesirable condition in your network.…

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question