Advertisement
If you have a new account but are having problems posting or verifying your account, please email us on hello@boards.ie for help. Thanks :)
Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact hello@boards.ie

Passing Data to web service

Options
  • 05-07-2010 10:02am
    #1
    mmalaka
    Registered Users Posts: 792 ✭✭✭


    I need to pass some data to web service. that data include user details. so the security is a concern here. What is the best approach for this task? I was thinking about serialization and using WriteXML/ReadXML..but not sure if this would be the best option
    Any Advice?
    Thanks


Comments

  • Options
    #2
    John_Mc
    Registered Users Posts: 2,791 ✭✭✭John_Mc


    mmalaka wrote: »
    I need to pass some data to web service. that data include user details. so the security is a concern here. What is the best approach for this task? I was thinking about serialization and using WriteXML/ReadXML..but not sure if this would be the best option
    Any Advice?
    Thanks

    Are you using jQuery? That has a serialize method which will store the elements within a container using JSON.

    The fact that it's a web service means it's automatically open to anyone who wants to use it. I'm unsure what this service is doing or how your architecture is setup so can't offer much in terms of security recommendations.


  • Options
    #3
    mmalaka
    Registered Users Posts: 792 ✭✭✭mmalaka


    this web service is for .NET web application. the webservice will store the DataSet into a SQL Database server...


  • Options
    #4
    John_Mc
    Registered Users Posts: 2,791 ✭✭✭John_Mc


    mmalaka wrote: »
    this web service is for .NET web application. the webservice will store the DataSet into a SQL Database server...

    Well, like any form of accepting input, be sure to scrub the data of dangerous characters, and limit the size of strings according to how long you expect the data to be. You need to be very careful about SQL injection attacks.


  • Options
    #5
    amen
    Registered Users Posts: 2,781 ✭✭✭amen


    you have two options.
    1: encrypt the data using a custom encryption
    2: setup a secure webservice using certs

    did you write the web service your self or is it provided by a thrid party?


  • Options
    #6
    mmalaka
    Registered Users Posts: 792 ✭✭✭mmalaka


    No I am supposed to write it by myself...but it will be consumed by a thrid party. so for the first option we need to agree on a custom encryption so that they can use it to encryot the data and I will use it to decrypt the data


  • Advertisement
  • Options
    #7
    carwash106
    Registered Users Posts: 58 ✭✭carwash106


    You have to send a secure webservice through https.
    For authenticationa nd authorisation purposes and private data you should look into SOAP.


  • Options
    #8
    Ginger
    Registered Users Posts: 2,931 ✭✭✭Ginger


    Are you controlling who gets access to the web service. Then you could issue certificates so that the computer making the request must have the correct certificate. That way custom decryption will not be a problem.

    Also with WCF there are different types of transport and message encryption options http://www.devx.com/codemag/Article/33342/1763/page/2

    Please dont write your own crypto protocal, you will get yourself into a mess of support options.

    Claims based authentication seems like your best bet http://msdn.microsoft.com/en-us/magazine/cc163366.aspx (The Geneva Framework)

    If its being consumed by other applications, possibly better to not send a dataset over the wire, its bloody big in DiffGram (unless you use binary serialisation and compression)


  • Options
    #9
    Collumbo
    Registered Users Posts: 180 ✭✭Collumbo


    will you host the web service?

    Congire IIS/Apache/whatever... so that the web service is restricted by IP. You can also validate the calling IP in the code.. cofigure your list of allowed IPs in web.config (or your own .ini file). If the calling IP isn't in the list, throw your own custom "Access Denied" exception.

    Good idea too to keep a log of all hits in another database to monitor any weird activity. We implemented this type of thing for a few customers and it went very well and "seems" to be fairly secure. We just use https://


  • Options
    #10
    Ginger
    Registered Users Posts: 2,931 ✭✭✭Ginger


    The above may work provided that the web service is being consumed only by web sites and the web sites are not on shared hosting but on dedicated hosts. Otherwise web sites on the same host ip can use the web service.

    If you are using client applications such as desktop applications, mobile phones and such this will not work as IP addressing changes based on location.

    Another issue with IP locking is that if the consuming application moves host, you need to reconfigure it and the web service needs to be be updated which is a bit of maintainence hassle.


  • Options
    #11
    Collumbo
    Registered Users Posts: 180 ✭✭Collumbo


    Accept all of the above Ginger... we were hosting and had full control over our IP so this worked for us. It's a good luxury to be able to throw in this type of validation as it's *pretty* safe.

    The customers were also in a position to maintain their IPs as they are pretty big customers and were never even going to go near a hosting provider to begin with....


  • Advertisement
  • Options
    #12
    Ginger
    Registered Users Posts: 2,931 ✭✭✭Ginger


    Its just a design consideration rather than anything else. If you have a fairly stable achitecture and speification and stuff like that, it will work for you


Advertisement