How to secure my webservices

Nov 9, 2009 at 12:29 PM

Could someone pls guide me how to secure my webservice with a userid and a password. I will publish my webservices over a server and on a remote client i add those webservices as web references and retrieve data and want this to happen in a secure way. I followed the line (   http://iweb.adefwebserver.com/ExampleCode/SecureWebServices/tabid/64/Default.aspx ). However it is not telling how to hadle userid, password and encrypto/decrypto on server and how to call webservice fom client with encrypted userid and pass? So could you ls advice me some guidanec or tell how to do it?

Thanks...

Nov 9, 2009 at 1:29 PM

Hi Kem,

If i understand your problem correctly then you need to do the following to your client application...

1. Add the file IWebAuthendication.vb to your project

2. Make sure you have this line of code in the app as you create the web service

ws.IWebAuthendicationHeaderValue = IWebAuthendication.AttachCredentials()

3. Look for the function AttachCredentials in the iwebauthendication file and change to include your username, password and portal.

Hope that helps

Trev

Nov 9, 2009 at 3:18 PM

It doesn't acknowledge a method such as AttachCredentials().

Thanks...

Nov 9, 2009 at 4:24 PM

Have you added the IWebAuthendication.vb to your project?

The method is contained within that file.

Trev

Nov 9, 2009 at 4:26 PM

this is the function.....

Imports System.Web
Public Class IWebAuthendication

    Public Shared Function AttachCredentials() As TaxiRoute_Mobile_Customer.uk.co.taxiroute.www.IWebAuthendicationHeader
        Dim IWebAuthendicationHeader As New TaxiRoute_Mobile_Customer.uk.co.taxiroute.www.IWebAuthendicationHeader

        IWebAuthendicationHeader.PortalID = "XXX"
        IWebAuthendicationHeader.Username = "username"
        IWebAuthendicationHeader.Password = "password"
        IWebAuthendicationHeader.Encrypted = 0

        Return IWebAuthendicationHeader
    End Function
End Class
Coordinator
Nov 9, 2009 at 4:39 PM
kem wrote:

Could someone pls guide me how to secure my webservice with a userid and a password. I will publish my webservices over a server and on a remote client i add those webservices as web references and retrieve data and want this to happen in a secure way. I followed the line (   http://iweb.adefwebserver.com/ExampleCode/SecureWebServices/tabid/64/Default.aspx ). However it is not telling how to hadle userid, password and encrypto/decrypto on server and how to call webservice fom client with encrypted userid and pass? So could you ls advice me some guidanec or tell how to do it?

Thanks...

 The page has this example:

Public Function GetUser(ByVal PortalID As Integer, _

        ByVal UserID As Integer, ByVal Username As String, ByVal Password As String, ByVal ModuleId As String, _
        ByVal WebPageCall As Boolean, ByVal Encrypted As Boolean) As String
 
            Dim objIWebAuthendicationHeader As New IWebAuthendicationHeader()
            objIWebAuthendicationHeader.PortalID = PortalID
            objIWebAuthendicationHeader.Username = Username
            objIWebAuthendicationHeader.UserID = UserID
            objIWebAuthendicationHeader.Password = Password
            objIWebAuthendicationHeader.Encrypted = Encrypted
            objIWebAuthendicationHeader.WebPageCall = WebPageCall
            objIWebAuthendicationHeader.ModuleID = ModuleId
 
            Dim objIWebAuthendication As New IWebAuthendication(objIWebAuthendicationHeader)
            If Not objIWebAuthendication.ValidAndAuthorized() Then
                Return "Not Authorized"
            Else
                Dim objUser As UserInfo = IWebUserInfo.GetUserInfo(PortalID, UserID, Username, Password, ModuleId)
                Return "DisplayName: " & objUser.DisplayName & " - Email: " & objUser.Email
            End If
 
        End Function
Nov 10, 2009 at 10:19 AM

It been done thanks. Bt i still have problem when interacting with my webservice -that is o a remote server. On client side ,just before calling webservice methods i assigned the values to credentials and then assing the credentials to Web as follows:

webservices.iweb.WebService iwebservice = new MyNameSpace.webservices.iweb.WebService();
//iwebservice.Url = WebserviceURL;
iwebservice.IWebAuthendicationHeaderValue = IWebAuthendication2.AttachCredentials();

And then i called the method of my webservice as such iwebservice.MyMethod(). I F5 and stepped into AttachCredentials() and assigned non-existing values to PortalID, Username,Password. I made no other changes. However my service is stilled c alled and it worked. How can i prevent my webservice's methods from running, when un-wanted user cal them?
Thanks...
       
Nov 10, 2009 at 10:23 AM

On your portal, if you visit the page where you have added the iWeb module at the bottom there is a link "Edit iWeb Configuration"

When you click this link and select the relevant portal you can assign the roles that can access the webservice.

If you leave them as "host" then it can only be accessed by the the client app if it has the host username and password.

Trev

Nov 10, 2009 at 12:07 PM

Let's make it clear. My portal is on the server and what i did(i told in my previous post) is on the client.

On portal on my server i did:

I hit "Edit iWeb Configuration" on IWEB module and under "Method" column , i found the method i wantto use.

And under "Security Settings" column i chosed "Host" Only the name of the method and "Host" are displayed.

Others (Company, Application, Group1, Group2, Description ) were all empty.

And on the client i did what i posted previously: (the same as previous post)

webservices.iweb.WebService iwebservice = new MyNameSpace.webservices.iweb.WebService();
iwebservice.IWebAuthendicationHeaderValue = IWebAuthendication2.AttachCredentials();
And then i called the method of my webservice as such iwebservice.MyMethod(). 
I F5 and stepped into AttachCredentials() and assigned non-existing values to PortalID, Username,Password. 
I made no other changes. However my service is stilled called and it worked. 
How can i prevent my webservice's methods from running, when un-registered user cal them?
Nov 10, 2009 at 12:49 PM
Edited Nov 10, 2009 at 4:19 PM

And that is the web method of the webservice (of IWEB) that is supposed not to be called in case of wrong credentials - It may help :

using System;
using System.Data;
using System.Configuration;
using System.Linq;
using System.Web;
using System.Web.Security;
using System.Web.UI;
using System.Web.UI.HtmlControls;
using System.Web.UI.WebControls;
using System.Web.UI.WebControls.WebParts;
using System.Xml.Linq;

using System.Web;
using System.Web.Services;
using System.Web.Services.Protocols;
using DotNetNuke.Entities.Users;
using DotNetNuke.Common.Utilities;


using System.Collections;
using System.ComponentModel;
using System.Data;


using Simetri.Modules.Data.Mtk;
using Simetri.Modules.Data.Mtk.DatabaseSpecific;
using SD.LLBLGen.Pro.ORMSupportClasses;
using System.Configuration;
using Simetri.Modules.Data.Mtk.EntityClasses;

/// <summary>
/// Summary description for FirmaBilgileri
/// </summary>
/// 
namespace DotNetNuke.Modules.IWebCSharp
{
    //[WebService(Namespace = "http://webservices.DotNetNuke.com/")]
    //[WebServiceBinding(ConformsTo = WsiProfiles.BasicProfile1_1)]

    public partial class WebService
    {

        [WebMethod(Description = " ....."), SoapHeader("IWebCredentials")]
        public FirmaEntity GetFirma(string firmaKey)
        {
		//Here are the codes...
        }
    }
}
            

 And here is what i do when i call AttachCredentials(); in client side rigth there:

 

webservices.iweb.WebService iwebservice = new MyNameSpace.webservices.iweb.WebService();
iwebservice.IWebAuthendicationHeaderValue = IWebAuthendication2.AttachCredentials();
 
AttachCredentials
public static Pdi.Toys.MtkSchedular.webservices.toys.iweb.IWebAuthendicationHeader AttachCredentials() 
        {
            Pdi.Toys.MtkSchedular.webservices.toys.iweb.IWebAuthendicationHeader IWebAuthendicationHeader = new Pdi.Toys.MtkSchedular.webservices.toys.iweb.IWebAuthendicationHeader(); 
            
            IWebAuthendicationHeader.PortalID = 0; 
            IWebAuthendicationHeader.Username = "host"; 
            IWebAuthendicationHeader.Password = "scrum1357"; 
            IWebAuthendicationHeader.Encrypted = "true"; 
                     
            return IWebAuthendicationHeader; 
        }  
: