Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1252
  • Last Modified:

securing restful wcf services

As I am building out my back end restful service(s), one of the things I am looking into is how to make the calls be secure, so that the calls cant be called from an authorized client. Especially since my services may have information that is very confidential and not something I want accessed unless you have permission to do so.

I have looked at OAUTH2 as one option, and this seems to be great on the server side of things, however how do you implement this over a http and where the client could be a mobile web page.

Does anyone have any experience with using OAUTH2 in a client environment where you have a mobile web page, that makes the call to the service and passes in whatever is needed for OAUTH2 to work over the client.

Any help ye can give would be appreciated. Thanks.
0
JDEE8297
Asked:
JDEE8297
  • 9
  • 4
  • 3
  • +1
4 Solutions
 
JDEE8297Author Commented:
It doesn't have to be with OAUTH, my main concern is to protect the calls to the service, so that it can't be called with some sort of verification process. And it has to work so that if I can call this from my jquery client code, rather than on the server, so any help you can give would be appreciated. Thanks.
0
 
Roopesh ReddyIT AnalystCommented:
Hi,

Basically, securing relates to using https. I feel it's the most secure way!!!

Moreover, OAUTH2 supports JavaScript as well - https://github.com/andreassolberg/jso

Hope it helps u...
0
 
JDEE8297Author Commented:
It is not just about keeping the data that goes back and forth being secure, https is a no brainer on that and was planning to go that route. What I am trying to make sure of that the calls to my service is only done from within my site and a third party where I have supplied key information that needs to be passed into the service.

Rather than someone finding the url and passing information out side of our control, to pull back the data. Some of this data is sensitive personal information, so I want to make sure it is totally secure.

I looked at DotNetOpenAuth as a possibility of doing this, but not sure if that is a viable solution, based on what I have seen of it.

Think of this using tokens where the call is made, and if the token is valid, then accept the call and if the token is invalid or not supplied then refuse the call.
0
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

 
käµfm³d 👽Commented:
Is basic authentication an option?
0
 
JDEE8297Author Commented:
not really, as I dont want to prompt the end user for the username and password.
0
 
käµfm³d 👽Commented:
They would only be prompted if they did not submit the credentials in the request header, and then only if you send back the WWW-Authenticate header in the response.

I haven't worked with OAuth yet, so I cannot really comment on that.
0
 
JDEE8297Author Commented:
hmmmm.....how would you set that up in the request header, and how would you read it on the wcf call and would that information be in plain view within the source code of the page?

Keep in mind that my call will be coming from a web page, and not from the backend code of the page. Looking for js type solution.
0
 
käµfm³d 👽Commented:
Keep in mind that my call will be coming from a web page
Ah. Then the only way I know to do it is with Ajax, which means you would need the credential available to the script. A "no go" I presume  : \
0
 
JDEE8297Author Commented:
Yep that would be a negative on the credential in a script, which is what I am finding with restful wcf, If this was all running off of the server, then not an issue, but as soon as you go from the client being a web page then there is all kinds of issues that beats the purpose of this being secure.

One way that I have playing around with is using PGP as a possible way of doing this, which would be as the page is rendered to store the secret key (encrypted) on the page after the user has logged in and send that back to any future page requests on the site. The problem with this solution is that it means some more work on my end, and fear that I may be reinventing the wheel, which I am trying to avoid.
0
 
Roopesh ReddyIT AnalystCommented:
Hi,

Check this thread for some interesting discussion on the securing AJAX calls!

http://stackoverflow.com/questions/652851/securing-ajax-requests-via-guid

Hope it helps...
0
 
JDEE8297Author Commented:
I love the last comment, because that is what I am running into, dont want to reinvent the wheel and everything I am finding is telling me that it is not entirely possible to do. :)

I will checkout the other part of the answers I saw on the posting that you sent over, may be that will have something in there.


It really depends on what you're trying to accomplish by security. If you mean prevent unauthorized use of the HTTP endpoints there is very little you can do about it since the user will have full access to the HTML and JavaScript used to make the calls.

If you mean preventing someone from sniffing the data in the AJAX requests then I would just use SSL.

A GUID used in the way that you're suggesting is really just reinventing a session id cookie.
0
 
Roopesh ReddyIT AnalystCommented:
Hope you get some light on your issue!
0
 
JDEE8297Author Commented:
you and me both. :)
0
 
Jaime OlivaresSoftware ArchitectCommented:
JDEE8297,
Please consider the following:
HTTPS is a transport security, it will protect any client from others for sniffing their security elements, but it won't allow specific clients to access, while others not.
REST is a state-less architectural framework, that means that each call is independent from the other, so traditional session info won't work.
A typical implementation would be the following:
- Authenticate your clients as you wish, using HTTPS to prevent password stealing
- Once authenticated, create a mechanism in the RESTful interface to register a token (GUID or similar) associated to the user. This token can have an expiracy date/time and shall be saved somewhere in your RESTful infrastructure.
- In you WCF/REST implementation, include the Global.asax file. You will need to override the Application_BeginRequest event.
- For each AJAX call to the RESTful service, include that token as a HTTP header and verify if that token/user pair is valid on the Application_BeginRequest event. If not, return an HTTP Status Code = Unauthorized
0
 
JDEE8297Author Commented:
How do you send this thru the header, and more importantly how do you let other pages with in the site know about this value, so that it can be used in other calls during the user's session
0
 
Jaime OlivaresSoftware ArchitectCommented:
the token will be preserved across all your website's pages trough session state (notice this is not the REST service)
About how to send, that depends on how you invoke a REST resource (please specify), but there is always a way to insert a custom header.
0
 
Roopesh ReddyIT AnalystCommented:
Hi,

In that case, store an encrypted value in the client computer(using Cookies) and send the data in the Secure channnel - https!!!

Hope it helps u...
0
 
JDEE8297Author Commented:
Thanks to all of those who replied, greatly appreciated as always.
0

Featured Post

VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

  • 9
  • 4
  • 3
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now