locked
Securing web service with jQuery Call RRS feed

  • Question

  • User-563212613 posted

    Hello All,

    I have few web services which is used mainly to call database and return output to client.

    Now all the web services are called directly from javascript(jQuery) only and hence none of built in way for Authenticating works for me.

    Can anyone suggest a way to secure web service which is only accessed from jQuery?

    Thanks in advance

    Monday, April 15, 2013 11:06 AM

Answers

All replies

  • User-1137493631 posted

    Yes, you can use windows authendication as mentioned here, please have a look in to this

    http://stackoverflow.com/questions/1002179/how-can-i-pass-windows-authentication-to-webservice-using-jquery

    Monday, April 15, 2013 11:10 AM
  • User1779161005 posted

    If the jQuery code is in a web page that's part of an authenticated web application, then the ajax call will also be authenticated (assuming the ajax call is back to the same application).

    Monday, April 15, 2013 11:37 AM
  • User-563212613 posted

    Hello BrockAllen,

    Actully Web services are hosted separately on server. I am using cross domain jQuery calls to access web services. To differentiate various users, currently I am passing one key with every request. But my concern is if some other person get that key from browser's view source or with the help of firebug then I do not have any other way to validated request.

    Also I do not have any UI so that I can use any other methods for authentication like Form based authentication etc...

    Regards,

    Dharmesh Solanki

    Tuesday, April 16, 2013 2:34 AM
  • User1779161005 posted

    Actully Web services are hosted separately on server. I am using cross domain jQuery calls to access web services.

    So you'll need CORS support on your server then. You can use this now:

    http://brockallen.com/2012/06/28/cors-support-in-webapi-mvc-and-iis-with-thinktecture-identitymodel/

    or WebAPI's built-in support that ships later this year:

    https://aspnetwebstack.codeplex.com/wikipage?title=CORS%20support%20for%20ASP.NET%20Web%20API

    To differentiate various users, currently I am passing one key with every request. But my concern is if some other person get that key from browser's view source or with the help of firebug then I do not have any other way to validated request.

    Also I do not have any UI so that I can use any other methods for authentication like Form based authentication etc...

    Yea, that's not secure because they key is not secret. You must have some UI if you're calling the service using jQuery. What do you need to do -- authenticate the user to the service or just have the user given permission to access the resource? This might help answer those questions:

    http://leastprivilege.com/2013/04/16/authentication-vs-authorization/

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Tuesday, April 16, 2013 2:47 PM