Solved

securing restful wcf services

Posted on 2013-01-30
18
1,122 Views
Last Modified: 2013-02-04
As I am building out my back end restful service(s), one of the things I am looking into is how to make the calls be secure, so that the calls cant be called from an authorized client. Especially since my services may have information that is very confidential and not something I want accessed unless you have permission to do so.

I have looked at OAUTH2 as one option, and this seems to be great on the server side of things, however how do you implement this over a http and where the client could be a mobile web page.

Does anyone have any experience with using OAUTH2 in a client environment where you have a mobile web page, that makes the call to the service and passes in whatever is needed for OAUTH2 to work over the client.

Any help ye can give would be appreciated. Thanks.
0
Comment
Question by:JDEE8297
  • 9
  • 4
  • 3
  • +1
18 Comments
 

Author Comment

by:JDEE8297
ID: 38837259
It doesn't have to be with OAUTH, my main concern is to protect the calls to the service, so that it can't be called with some sort of verification process. And it has to work so that if I can call this from my jquery client code, rather than on the server, so any help you can give would be appreciated. Thanks.
0
 
LVL 23

Expert Comment

by:Roopesh Reddy
ID: 38840147
Hi,

Basically, securing relates to using https. I feel it's the most secure way!!!

Moreover, OAUTH2 supports JavaScript as well - https://github.com/andreassolberg/jso

Hope it helps u...
0
 

Author Comment

by:JDEE8297
ID: 38840686
It is not just about keeping the data that goes back and forth being secure, https is a no brainer on that and was planning to go that route. What I am trying to make sure of that the calls to my service is only done from within my site and a third party where I have supplied key information that needs to be passed into the service.

Rather than someone finding the url and passing information out side of our control, to pull back the data. Some of this data is sensitive personal information, so I want to make sure it is totally secure.

I looked at DotNetOpenAuth as a possibility of doing this, but not sure if that is a viable solution, based on what I have seen of it.

Think of this using tokens where the call is made, and if the token is valid, then accept the call and if the token is invalid or not supplied then refuse the call.
0
 
LVL 74

Expert Comment

by:käµfm³d 👽
ID: 38841447
Is basic authentication an option?
0
 

Author Comment

by:JDEE8297
ID: 38842354
not really, as I dont want to prompt the end user for the username and password.
0
 
LVL 74

Assisted Solution

by:käµfm³d 👽
käµfm³d   👽 earned 50 total points
ID: 38842808
They would only be prompted if they did not submit the credentials in the request header, and then only if you send back the WWW-Authenticate header in the response.

I haven't worked with OAuth yet, so I cannot really comment on that.
0
 

Author Comment

by:JDEE8297
ID: 38843498
hmmmm.....how would you set that up in the request header, and how would you read it on the wcf call and would that information be in plain view within the source code of the page?

Keep in mind that my call will be coming from a web page, and not from the backend code of the page. Looking for js type solution.
0
 
LVL 74

Expert Comment

by:käµfm³d 👽
ID: 38843529
Keep in mind that my call will be coming from a web page
Ah. Then the only way I know to do it is with Ajax, which means you would need the credential available to the script. A "no go" I presume  : \
0
 

Author Comment

by:JDEE8297
ID: 38844007
Yep that would be a negative on the credential in a script, which is what I am finding with restful wcf, If this was all running off of the server, then not an issue, but as soon as you go from the client being a web page then there is all kinds of issues that beats the purpose of this being secure.

One way that I have playing around with is using PGP as a possible way of doing this, which would be as the page is rendered to store the secret key (encrypted) on the page after the user has logged in and send that back to any future page requests on the site. The problem with this solution is that it means some more work on my end, and fear that I may be reinventing the wheel, which I am trying to avoid.
0
Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 
LVL 23

Assisted Solution

by:Roopesh Reddy
Roopesh Reddy earned 135 total points
ID: 38844246
Hi,

Check this thread for some interesting discussion on the securing AJAX calls!

http://stackoverflow.com/questions/652851/securing-ajax-requests-via-guid

Hope it helps...
0
 

Author Comment

by:JDEE8297
ID: 38844284
I love the last comment, because that is what I am running into, dont want to reinvent the wheel and everything I am finding is telling me that it is not entirely possible to do. :)

I will checkout the other part of the answers I saw on the posting that you sent over, may be that will have something in there.


It really depends on what you're trying to accomplish by security. If you mean prevent unauthorized use of the HTTP endpoints there is very little you can do about it since the user will have full access to the HTML and JavaScript used to make the calls.

If you mean preventing someone from sniffing the data in the AJAX requests then I would just use SSL.

A GUID used in the way that you're suggesting is really just reinventing a session id cookie.
0
 
LVL 23

Expert Comment

by:Roopesh Reddy
ID: 38844311
Hope you get some light on your issue!
0
 

Author Comment

by:JDEE8297
ID: 38845126
you and me both. :)
0
 
LVL 55

Accepted Solution

by:
Jaime Olivares earned 130 total points
ID: 38847840
JDEE8297,
Please consider the following:
HTTPS is a transport security, it will protect any client from others for sniffing their security elements, but it won't allow specific clients to access, while others not.
REST is a state-less architectural framework, that means that each call is independent from the other, so traditional session info won't work.
A typical implementation would be the following:
- Authenticate your clients as you wish, using HTTPS to prevent password stealing
- Once authenticated, create a mechanism in the RESTful interface to register a token (GUID or similar) associated to the user. This token can have an expiracy date/time and shall be saved somewhere in your RESTful infrastructure.
- In you WCF/REST implementation, include the Global.asax file. You will need to override the Application_BeginRequest event.
- For each AJAX call to the RESTful service, include that token as a HTTP header and verify if that token/user pair is valid on the Application_BeginRequest event. If not, return an HTTP Status Code = Unauthorized
0
 

Author Comment

by:JDEE8297
ID: 38847917
How do you send this thru the header, and more importantly how do you let other pages with in the site know about this value, so that it can be used in other calls during the user's session
0
 
LVL 55

Expert Comment

by:Jaime Olivares
ID: 38847944
the token will be preserved across all your website's pages trough session state (notice this is not the REST service)
About how to send, that depends on how you invoke a REST resource (please specify), but there is always a way to insert a custom header.
0
 
LVL 23

Assisted Solution

by:Roopesh Reddy
Roopesh Reddy earned 135 total points
ID: 38848024
Hi,

In that case, store an encrypted value in the client computer(using Cookies) and send the data in the Secure channnel - https!!!

Hope it helps u...
0
 

Author Closing Comment

by:JDEE8297
ID: 38851188
Thanks to all of those who replied, greatly appreciated as always.
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

This article discusses how to create an extensible mechanism for linked drop downs.
This article demonstrates how to create a simple responsive confirmation dialog with Ok and Cancel buttons using HTML, CSS, jQuery and Promises
The viewer will learn the basics of jQuery, including how to invoke it on a web page. Reference your jQuery libraries: (CODE) Include your new external js/jQuery file: (CODE) Write your first lines of code to setup your site for jQuery.: (CODE)
The viewer will learn the basics of jQuery including how to code hide show and toggles. Reference your jQuery libraries: (CODE) Include your new external js/jQuery file: (CODE) Write your first lines of code to setup your site for jQuery…

706 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now