Securing Individual Web Service Methods Calls

[timburda]

Here is the scenario:

I have a two .asmx which sit side by side on a .NET based webservice.
My web application has some web modules which should be able to access
both of the .asmx files, the other web modules should only be able to
access methods in one of the .asmx files.

What I'm trying to do is prevent unauthorized calls into one of the
webservices. I can't restrict access by users, because in some cases,
the user may be using a web module which is making a valid call into
the webservice I am trying to protect.

If I have confused you with all of this, the crux of the problem is
that I am trying to secure individual methods on a web service.

After much thought, I don't believe the following approaches will work
(trust me):

Breaking down and splitting out the methods into additional .asmx files

Modifying the users who have access to any of the .asmx files

The only solution I could think of to date is to add a parameter to
each webservice method which take a key or token. They key passed by
the calling function (web app) must match the key in expected by the
webservice.

Any thoughts....anyone... anyone.....Bueller, Bueller, Bueller...

Thanks -

Tim Burda

 

[John Saunders]

Here is the scenario:

I have a two .asmx which sit side by side on a .NET based webservice.
My web application has some web modules which should be able to access
both of the .asmx files, the other web modules should only be able to
access methods in one of the .asmx files.

What I'm trying to do is prevent unauthorized calls into one of the
webservices. I can't restrict access by users, because in some cases,
the user may be using a web module which is making a valid call into
the webservice I am trying to protect.

If I have confused you with all of this, the crux of the problem is
that I am trying to secure individual methods on a web service.

After much thought, I don't believe the following approaches will work
(trust me):

Breaking down and splitting out the methods into additional .asmx files

Modifying the users who have access to any of the .asmx files

The only solution I could think of to date is to add a parameter to
each webservice method which take a key or token. They key passed by
the calling function (web app) must match the key in expected by the
webservice.

Any thoughts....anyone... anyone.....Bueller, Bueller, Bueller...

If the only clients accessing the web service are your web modules, then
where is the security risk? You'd be securing against your own code. If
you're concerned about clients other than your web modules accessing the web
service, then you've got a different problem on your hands.

At any rate, you should consider that you're not really trying to authorize
users; you're trying to authorize the web modules. You need to give some
sort of identity to the web modules, and restrict access based on this
identity. In other words, the web modules are the principals here, not the
users.

I'm assuming that access to the web modules is adequately restricted.

John