Solved

How to secure (ASP.NET) Web Service Authorization

Posted on 2010-08-25
4
644 Views
Last Modified: 2012-06-27
I'm building a web service with many methods, some of which are user specific and require I authorize the user. I found these articles on using soap headers to pass login information:

Since I don't want to pass the username / password in clear text, the first approach seems necessary to secure the login. But I was wondering if that's necessary. Is there any way to call a web service using SSL (or force a client to use SSL)? If that was possible, I wouldn't need to do the round trip with passing a encryption key / token to the client first.

Thanks in advance.
0
Comment
Question by:ZekeLA
  • 2
  • 2
4 Comments
 
LVL 18

Expert Comment

by:Anil Golamari
ID: 33525436
0
 
LVL 1

Author Comment

by:ZekeLA
ID: 33526270
I think the second link addressed my security issue but maybe you know the answers to my follow up questions. Accordign the msdn article, SSL can be used only if using Windows authentication. Since our users aren't Windows users, it sounds like I'll have to go with custom soap headers.

Does that sound correct to you?

Secondly, are there any usual practices about encrypting the soap header information? It looks like you need to get a token and then encrypt it. But for security, the token should expire at some point. Is there a rule of thumb as to how long the token should survive?

Thanks.
0
 
LVL 18

Expert Comment

by:Anil Golamari
ID: 33526393
http://msdn.microsoft.com/en-us/library/ff649205.aspx ( to use ssl in web apps)

http://www.svendens.com/flex/soap-headers-in-flex-and-ws-security/ (regarding security token)

Hope these links shade some light on your questions.

Hope it helps you.

0
 
LVL 1

Accepted Solution

by:
ZekeLA earned 0 total points
ID: 33536876
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

In my previous two articles we discussed Binary Serialization (http://www.experts-exchange.com/A_4362.html) and XML Serialization (http://www.experts-exchange.com/A_4425.html). In this article we will try to know more about SOAP (Simple Object Acces…
User art_snob (http://www.experts-exchange.com/M_6114203.html) encountered strange behavior of Android Web browser on his Mobile Web site. It took a while to find the true cause. It happens so, that the Android Web browser (at least up to OS ver. 2.…
This video discusses moving either the default database or any database to a new volume.
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now