JDEE8297
asked on
securing restful wcf services
As I am building out my back end restful service(s), one of the things I am looking into is how to make the calls be secure, so that the calls cant be called from an authorized client. Especially since my services may have information that is very confidential and not something I want accessed unless you have permission to do so.
I have looked at OAUTH2 as one option, and this seems to be great on the server side of things, however how do you implement this over a http and where the client could be a mobile web page.
Does anyone have any experience with using OAUTH2 in a client environment where you have a mobile web page, that makes the call to the service and passes in whatever is needed for OAUTH2 to work over the client.
Any help ye can give would be appreciated. Thanks.
I have looked at OAUTH2 as one option, and this seems to be great on the server side of things, however how do you implement this over a http and where the client could be a mobile web page.
Does anyone have any experience with using OAUTH2 in a client environment where you have a mobile web page, that makes the call to the service and passes in whatever is needed for OAUTH2 to work over the client.
Any help ye can give would be appreciated. Thanks.
Hi,
Basically, securing relates to using https. I feel it's the most secure way!!!
Moreover, OAUTH2 supports JavaScript as well - https://github.com/andreassolberg/jso
Hope it helps u...
Basically, securing relates to using https. I feel it's the most secure way!!!
Moreover, OAUTH2 supports JavaScript as well - https://github.com/andreassolberg/jso
Hope it helps u...
ASKER
It is not just about keeping the data that goes back and forth being secure, https is a no brainer on that and was planning to go that route. What I am trying to make sure of that the calls to my service is only done from within my site and a third party where I have supplied key information that needs to be passed into the service.
Rather than someone finding the url and passing information out side of our control, to pull back the data. Some of this data is sensitive personal information, so I want to make sure it is totally secure.
I looked at DotNetOpenAuth as a possibility of doing this, but not sure if that is a viable solution, based on what I have seen of it.
Think of this using tokens where the call is made, and if the token is valid, then accept the call and if the token is invalid or not supplied then refuse the call.
Rather than someone finding the url and passing information out side of our control, to pull back the data. Some of this data is sensitive personal information, so I want to make sure it is totally secure.
I looked at DotNetOpenAuth as a possibility of doing this, but not sure if that is a viable solution, based on what I have seen of it.
Think of this using tokens where the call is made, and if the token is valid, then accept the call and if the token is invalid or not supplied then refuse the call.
Is basic authentication an option?
ASKER
not really, as I dont want to prompt the end user for the username and password.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
hmmmm.....how would you set that up in the request header, and how would you read it on the wcf call and would that information be in plain view within the source code of the page?
Keep in mind that my call will be coming from a web page, and not from the backend code of the page. Looking for js type solution.
Keep in mind that my call will be coming from a web page, and not from the backend code of the page. Looking for js type solution.
Keep in mind that my call will be coming from a web pageAh. Then the only way I know to do it is with Ajax, which means you would need the credential available to the script. A "no go" I presume : \
ASKER
Yep that would be a negative on the credential in a script, which is what I am finding with restful wcf, If this was all running off of the server, then not an issue, but as soon as you go from the client being a web page then there is all kinds of issues that beats the purpose of this being secure.
One way that I have playing around with is using PGP as a possible way of doing this, which would be as the page is rendered to store the secret key (encrypted) on the page after the user has logged in and send that back to any future page requests on the site. The problem with this solution is that it means some more work on my end, and fear that I may be reinventing the wheel, which I am trying to avoid.
One way that I have playing around with is using PGP as a possible way of doing this, which would be as the page is rendered to store the secret key (encrypted) on the page after the user has logged in and send that back to any future page requests on the site. The problem with this solution is that it means some more work on my end, and fear that I may be reinventing the wheel, which I am trying to avoid.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I love the last comment, because that is what I am running into, dont want to reinvent the wheel and everything I am finding is telling me that it is not entirely possible to do. :)
I will checkout the other part of the answers I saw on the posting that you sent over, may be that will have something in there.
It really depends on what you're trying to accomplish by security. If you mean prevent unauthorized use of the HTTP endpoints there is very little you can do about it since the user will have full access to the HTML and JavaScript used to make the calls.
If you mean preventing someone from sniffing the data in the AJAX requests then I would just use SSL.
A GUID used in the way that you're suggesting is really just reinventing a session id cookie.
I will checkout the other part of the answers I saw on the posting that you sent over, may be that will have something in there.
It really depends on what you're trying to accomplish by security. If you mean prevent unauthorized use of the HTTP endpoints there is very little you can do about it since the user will have full access to the HTML and JavaScript used to make the calls.
If you mean preventing someone from sniffing the data in the AJAX requests then I would just use SSL.
A GUID used in the way that you're suggesting is really just reinventing a session id cookie.
Hope you get some light on your issue!
ASKER
you and me both. :)
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
How do you send this thru the header, and more importantly how do you let other pages with in the site know about this value, so that it can be used in other calls during the user's session
the token will be preserved across all your website's pages trough session state (notice this is not the REST service)
About how to send, that depends on how you invoke a REST resource (please specify), but there is always a way to insert a custom header.
About how to send, that depends on how you invoke a REST resource (please specify), but there is always a way to insert a custom header.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks to all of those who replied, greatly appreciated as always.
ASKER