How to secure webservice in

Hello Frd's

While working with web service in one main question that stick on my mind is how I make secure  my web service.

I am going to publish web service in public domain any one can use it after knowing web url. I found very good discussion from forum let me share with you.

Securing a web service can be achieved at many levels, it is up to you to which level you may want to do.

1) Customised Token Based:

Have a web method where user may provide his credentials. Credentials could be username and password; this is quite similar to login page of the web form application. So, once user passes his username and password system validates these credentials against the database system generates a unique token (which is generally guid) and saves this against userid ion the database. This token is returned to the user as well. So, now onwards whenever user acceses other web methods (of functional nature) this token will need to be passes along as parameter. Before actually processing the call system validates this token against the database. If it is validated user is allowed to process the web method call. Additionally, just like session in the web forms application, you may control the timeout as well. for e.g. the token may remain valid for some pre-defined time and post that whenever user tries to access any method token gets expired and user is denied the request. You may set this timeout during login web method call.

2) WSE 3.0 Authentication:  

Web Services Enhancements (WSE) is a webservice standard which provides cross-platform security for webservices. Following URL will provide a step-by-step detail on how to use WSE 3.0 for authenticating webservices with your custom user database.

Following link describes in detail how to develop and apply authentication, authorization, and secure communication techniques to secure ASP.NET Web services and Web service messages. It describes security from the Web service perspective and shows you how to authenticate and authorize callers and how to flow security context through a Web service. It also explains, from a client-side perspective, how to call Web services with credentials and certificates to support server-side authentication.

Posted in |


Post a Comment