Advertisement
If you have a new account but are having problems posting or verifying your account, please email us on hello@boards.ie for help. Thanks :)
Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact hello@boards.ie
Hi there,
There is an issue with role permissions that is being worked on at the moment.
If you are having trouble with access or permissions on regional forums please post here to get access: https://www.boards.ie/discussion/2058365403/you-do-not-have-permission-for-that#latest

Passing Data to web service

  • 05-07-2010 9:02am
    #1
    Registered Users, Registered Users 2 Posts: 792 ✭✭✭


    I need to pass some data to web service. that data include user details. so the security is a concern here. What is the best approach for this task? I was thinking about serialization and using WriteXML/ReadXML..but not sure if this would be the best option
    Any Advice?
    Thanks


Comments

  • Registered Users, Registered Users 2 Posts: 2,793 ✭✭✭John_Mc


    mmalaka wrote: »
    I need to pass some data to web service. that data include user details. so the security is a concern here. What is the best approach for this task? I was thinking about serialization and using WriteXML/ReadXML..but not sure if this would be the best option
    Any Advice?
    Thanks

    Are you using jQuery? That has a serialize method which will store the elements within a container using JSON.

    The fact that it's a web service means it's automatically open to anyone who wants to use it. I'm unsure what this service is doing or how your architecture is setup so can't offer much in terms of security recommendations.


  • Registered Users, Registered Users 2 Posts: 792 ✭✭✭mmalaka


    this web service is for .NET web application. the webservice will store the DataSet into a SQL Database server...


  • Registered Users, Registered Users 2 Posts: 2,793 ✭✭✭John_Mc


    mmalaka wrote: »
    this web service is for .NET web application. the webservice will store the DataSet into a SQL Database server...

    Well, like any form of accepting input, be sure to scrub the data of dangerous characters, and limit the size of strings according to how long you expect the data to be. You need to be very careful about SQL injection attacks.


  • Registered Users, Registered Users 2 Posts: 2,781 ✭✭✭amen


    you have two options.
    1: encrypt the data using a custom encryption
    2: setup a secure webservice using certs

    did you write the web service your self or is it provided by a thrid party?


  • Registered Users, Registered Users 2 Posts: 792 ✭✭✭mmalaka


    No I am supposed to write it by myself...but it will be consumed by a thrid party. so for the first option we need to agree on a custom encryption so that they can use it to encryot the data and I will use it to decrypt the data


  • Advertisement
  • Registered Users, Registered Users 2 Posts: 58 ✭✭carwash106


    You have to send a secure webservice through https.
    For authenticationa nd authorisation purposes and private data you should look into SOAP.


  • Registered Users, Registered Users 2 Posts: 2,931 ✭✭✭Ginger


    Are you controlling who gets access to the web service. Then you could issue certificates so that the computer making the request must have the correct certificate. That way custom decryption will not be a problem.

    Also with WCF there are different types of transport and message encryption options http://www.devx.com/codemag/Article/33342/1763/page/2

    Please dont write your own crypto protocal, you will get yourself into a mess of support options.

    Claims based authentication seems like your best bet http://msdn.microsoft.com/en-us/magazine/cc163366.aspx (The Geneva Framework)

    If its being consumed by other applications, possibly better to not send a dataset over the wire, its bloody big in DiffGram (unless you use binary serialisation and compression)


  • Registered Users, Registered Users 2 Posts: 180 ✭✭Collumbo


    will you host the web service?

    Congire IIS/Apache/whatever... so that the web service is restricted by IP. You can also validate the calling IP in the code.. cofigure your list of allowed IPs in web.config (or your own .ini file). If the calling IP isn't in the list, throw your own custom "Access Denied" exception.

    Good idea too to keep a log of all hits in another database to monitor any weird activity. We implemented this type of thing for a few customers and it went very well and "seems" to be fairly secure. We just use https://


  • Registered Users, Registered Users 2 Posts: 2,931 ✭✭✭Ginger


    The above may work provided that the web service is being consumed only by web sites and the web sites are not on shared hosting but on dedicated hosts. Otherwise web sites on the same host ip can use the web service.

    If you are using client applications such as desktop applications, mobile phones and such this will not work as IP addressing changes based on location.

    Another issue with IP locking is that if the consuming application moves host, you need to reconfigure it and the web service needs to be be updated which is a bit of maintainence hassle.


  • Registered Users, Registered Users 2 Posts: 180 ✭✭Collumbo


    Accept all of the above Ginger... we were hosting and had full control over our IP so this worked for us. It's a good luxury to be able to throw in this type of validation as it's *pretty* safe.

    The customers were also in a position to maintain their IPs as they are pretty big customers and were never even going to go near a hosting provider to begin with....


  • Advertisement
  • Registered Users, Registered Users 2 Posts: 2,931 ✭✭✭Ginger


    Its just a design consideration rather than anything else. If you have a fairly stable achitecture and speification and stuff like that, it will work for you


Advertisement