locked
Wcf rest service restrictions RRS feed

  • Question

  • User-1799376286 posted
    Is it possible in a wcf web service to find out the domain that generate the call? Secondly how can I restrict the web methods to respond when being call from specific domains?
    Monday, June 10, 2013 1:40 PM

Answers

All replies

  • User-1662538993 posted

    One more thing you can do is you can ask them to provider special licence key and token with each request.

    Depends on the token you can let them access the mthod or not instead of finding domain name.

    You can find the host name or ip address of the caller but sometimes they use firewall or third party to host their service and then it would be static ip or in those cases very difficult to obtain the domain name easily.

    Monday, June 10, 2013 2:26 PM
  • User-1799376286 posted
    But the problem is, I would be making call to the web service from jquery and passing the license key to the web service would be easily accessible if somebody view the page in "view source". Any suggestions please?
    Monday, June 10, 2013 2:41 PM
  • User-1662538993 posted

    You can use some kind of encryption and send key from client and at web service you can use the private key to decrypt it and then authenticate.

    Monday, June 10, 2013 3:02 PM
  • User-1799376286 posted
    Thanks for your reply. As you suggesting to use encryption at client side. My question is as the encryption method would be in web method and I would be calling it from client side then in case if I try to call web service from jquery then anybody can call the encryption method from client side by passing the same parameter. Sorry I am bit new to this and apologise if I miss the whole point here.
    Monday, June 10, 2013 3:09 PM
  • User-1662538993 posted

    What you do is basically you send something like - 

    Say you want to send abc then you send encrypted value of abc encrypted by some key, say 123 so value of abc will become afff999.

    Now your web service know the key is 123 and it will decrypt the afff999 with 123 key and get decrypted value abc.

    Monday, June 10, 2013 3:20 PM
  • User-1799376286 posted
    Suppose I am calling web service from jquery. So it would be something like Encrypted64byte('afff999'); If somebody try to view source (of the html page) they can see the above code and the hacker can call the same encrypt64byte method and pass the same value 'afff998'. How to secure the above?
    Monday, June 10, 2013 3:27 PM
  • User-1662538993 posted

    You would pass only 'aff999'. Why you want to say Encrypted64byte('afff999').

    Your service should know that you are using Encrypted64byte so then will decyrpt with that encoding.

    Monday, June 10, 2013 4:03 PM
  • User-1799376286 posted

    So if I pass ff999 then the same value can be passed by the attacker aswell and can get access to the web method as when attacker pass the value 'ff999' then again it would be decrypted on server side and would authenticate the service to return records.

    Remind you the above i am quoting when the call is made from jquery as the code is viewable from html view source.

    Monday, June 10, 2013 4:49 PM
  • User220959680 posted

    Digital certificates provides granular level of securing the service, as the client needs to attach the digital certificate with the certificate with the request to be authorised to consume service methods.

    Refer http://robbincremers.me/2011/12/27/wcf-transport-security-and-client-certificate-authentication-with-self-signed-certificates/

    Note that even though configuring digital certificates seems to be painful, once it is implemented the process would be lot easier to secure the service.

    Also http://msdn.microsoft.com/en-us/library/ms731899.aspx

    http://robbincremers.me/2011/12/27/wcf-transport-security-and-client-certificate-authentication-with-self-signed-certificates/

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Monday, June 10, 2013 5:26 PM
  • User-488622176 posted

    Why not using IPSEC or other technical security methods to prevent unauthorized access?

    Monday, June 10, 2013 5:37 PM