Enabling HTTP Post to invoke web services

[Mike P]

I am calling a .Net web service from a traditional ASP page. I am using the
ServerXMLHttp object. For example:

sWebSvcUrl = "http://.....asmx"
Set oSXH = Server.CreateObject("MSXML2.ServerXMLHTTP.4.0")
oSXH.open "POST", sWebSvcUrl, False,"userid","password"

' Indicate that the body of the request contains form data
oSXH.setRequestHeader "Content-Type", "application/x-www-form-urlencoded"
sParam = "xmlString=" & sXML
Call oSXH.send(sParam)

Since HTTP Posts and HTTP Gets are disabled by default in the .Net Framework
1.1, I added these lines to the web.config file to enable them.
<webServices>
<protocols>
<add name="HttpGet"/>
<add name="HttpPost"/>
</protocols>
</webServices>

This article explains what this is about:
http://support.microsoft.com/default.aspx?scid=kb;en-us;819267

The issue is, I am getting some resistance from our web operations folks
about enabling HTTP Posts and HTTP Gets and pushing this code to production.
Some feel that I should not be invoking web services this way because
Microsoft disabled them by default. They say, what if this goes to
production and, in the next version of the .NET Framework, Microsoft disables
HTTP Posts with no overrides. And also, some are concerned about the
security reasons that caused Microsoft to disable HTTP Posts and HTTP Gets.

My question is.... Does anyone see any issues with what I am trying to do?

I tried to use the Soap Toolkit, but since the authentication mode for the
web services I need to call is set to Windows Authentication, I can't get it
to work without some work around.

I also want to point out that the traditional ASP webs that I am calling
these .Net web services from will probably be converted to ASP.NET sometime
next year.

Thanks in advance for your comments,

 

[[MSFT]]

Hello Mike,

Yes, it is recommended to disable httpget and httppost for security issues.
You may refer to this article for details:

http://www.xent.com/pipermail/fork/2002-March/009999.html

Based on my experience, Soap Toolkit can work with windows authenticated
web service. You need to have your ASP application run under a domain
account with enough permission. Anyway, I think the best solution is to
migrate to ASP.NET.

Luke

 

[Mike P]

Thanks for your response Luke.

We will be migrating this application to ASP.NET sometime next year. In the
meantime, we have new third-party applications that this web needs to
communicate with.

Would the fact that the web service's authentication mode is set to Windows
Authentication mitigate the security concern? So to use the web service, I
have to pass in the network credentials in the open method of the
ServerXMLHTTP object. For example,

Set oSXH = Server.CreateObject("MSXML2.ServerXMLHTTP.4.0")
oSXH.open "POST", sWebSvcUrl, False,"WebSvcUser","password"

On our network, we have to authenticate whenever we get redirected to
another server. For example, if I leave out the username and password
parameters, I get an error.

I am using a POST, so I could disabled HTTP GET, and accoding to the article
you reference, "the case for HTTP-POST is a little more complex".

The examples in the article would not be successful because on the POST to
the web service, there will be a challenge before the web service will
execute. Am I wrong?

 

[[MSFT]]

Hi Mike,

The parameters UserName and Password of Open method is optional. When they
were not set, it will use current user's credetial . There is still some
risk here. Therefore, I think it still less of good reason to persuade your
operations folks since Http-Post and Http_Get are known as not safe. why
not soap toolkit? It is recommended for an ASP or VB 6.0 application.

Luke