Securing web service

[John]

Hi

How can I make sure that no one else can call and receive data from my web
methods?

Thanks

Regards

 

[Dale]

Turn the server off.

 

[R.Balaji]

That was a nice joke. LOL.

Well, I assume that you don't want to give access to your webservice to the
unauthorized users.

1.Use sessions in your web methods in application layer
2.Use SSL in transport layer

More can be found under
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/html/SecNetch10.asp
http://msdn.microsoft.com/library/d.../en-us/cpguide/html/cpconUsingSOAPHeaders.asp

Regards,
R.Balaji

 

[Michael Pearson]

I've always put a username / password params in each of my web methods. I
then validate the user on each method call, and THEN do the real work of the
web method.

You can authenticate that username / password against a hardcoded value, a
database value, or a web.config value.

Michael

 

[Gerald Brose]

How can I make sure that no one else can call and receive data
from my web methods?

Rather than hardcoding security logic into your applications
(as described in separate answers in this thread) you can use
a separate SOAP Firewall that allows you to

- integrate security transparently (i.e. without modifying
application code) even in multi-vendor deployments

- manage your security policies centrally, using a professional
admin console GUI

You may want to take a look at Xtradyne's WS-DBC (Domain Boundary
Controller), which delivers comprehensive security and enterprise-
grade performance. See http://www.xtradyne.com for more info.

Regards, Gerald.

 

[Tony]

Your username/password can be viewed by attacker, if your transport is HTTP.
Then he can do something else after obtain username/password. He can also
changed the request message with know what's the meaning of original message,
withoud detected by your web service. Best way is to go with SSL using client
certificate as security token, to encrypt and sign message. search WSE in
MSDN.