Solved

How to secure (ASP.NET) Web Service Authorization

Posted on 2010-08-25
4
646 Views
Last Modified: 2012-06-27
I'm building a web service with many methods, some of which are user specific and require I authorize the user. I found these articles on using soap headers to pass login information:

Since I don't want to pass the username / password in clear text, the first approach seems necessary to secure the login. But I was wondering if that's necessary. Is there any way to call a web service using SSL (or force a client to use SSL)? If that was possible, I wouldn't need to do the round trip with passing a encryption key / token to the client first.

Thanks in advance.
0
Comment
Question by:ZekeLA
  • 2
  • 2
4 Comments
 
LVL 18

Expert Comment

by:Anil Golamari
ID: 33525436
0
 
LVL 1

Author Comment

by:ZekeLA
ID: 33526270
I think the second link addressed my security issue but maybe you know the answers to my follow up questions. Accordign the msdn article, SSL can be used only if using Windows authentication. Since our users aren't Windows users, it sounds like I'll have to go with custom soap headers.

Does that sound correct to you?

Secondly, are there any usual practices about encrypting the soap header information? It looks like you need to get a token and then encrypt it. But for security, the token should expire at some point. Is there a rule of thumb as to how long the token should survive?

Thanks.
0
 
LVL 18

Expert Comment

by:Anil Golamari
ID: 33526393
http://msdn.microsoft.com/en-us/library/ff649205.aspx ( to use ssl in web apps)

http://www.svendens.com/flex/soap-headers-in-flex-and-ws-security/ (regarding security token)

Hope these links shade some light on your questions.

Hope it helps you.

0
 
LVL 1

Accepted Solution

by:
ZekeLA earned 0 total points
ID: 33536876
0

Featured Post

Announcing the Most Valuable Experts of 2016

MVEs are more concerned with the satisfaction of those they help than with the considerable points they can earn. They are the types of people you feel privileged to call colleagues. Join us in honoring this amazing group of Experts.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
ASP.NET gridview select textbox on focus 2 33
What namespace do I need to import? 2 25
VB.NET 2008 Publish Error 2 24
Expression Evaluater 3 24
ASP.Net to Oracle Connectivity Recently I had to develop an ASP.NET application connecting to an Oracle database.As I am doing it first time ,I had to solve several problems. This article will help to such developers  to develop an ASP.NET client…
This article shows how to deploy dynamic backgrounds to computers depending on the aspect ratio of display
This tutorial gives a high-level tour of the interface of Marketo (a marketing automation tool to help businesses track and engage prospective customers and drive them to purchase). You will see the main areas including Marketing Activities, Design …
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…

813 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now