Secure access to my hosted web service

[Jason James]

Guys,

I am developing a web service that will be hosted by
a web hosting company and therefore will be in the
public domain. Since the service accesses a DB I
would like to ensure that only authorised applications/
users have access to the web service. Does anyone
have any suggests how I might go about this
security task?

Changing folder permissions, etc at the hosting
company is probably more trouble than it is worth!!

Kind regards,

Jason.

 

[Josh Twist]

You could use WSE
(http://msdn.microsoft.com/webservices/webservices/building/wse/default.aspx)
to implement security directly into your webservice. WSE supports lots
of security implementations from username/pasword to certificates and
combinations thereof.

Josh
http://www.thejoyofcode.com/

 

[Jason James]

Josh,

thanks for the info. I'm not sure if my hoster has this .NET
extension installed. Are there any other ways using the
standard .NET framework components that anyone can
think of?

Regards,

Jason

 

[Josh Twist]

You could just secure it yourself with a username/password SoapHeader.
This is very easy to do, you'd just need to create a securityUser table
with a username and password (salted and hashed, of course). Then check
this table inside your webmethod and throw a SoapException if you
receive an incorrect username/password.

If you can, use HTTPS to be sure that the username and password can't
be sniffed and the contents read by third parties.

Josh