Forum


HomeHomePremiumPremiumDevelopmentDevelopmentsecuring a web servicesecuring a web service
Previous
 
Next
New Post
2/20/2015 11:04 AM
 

Hi

Can anyone please advise me on the best way (or easiest way perhaps :-)  to secure a web service for use from a DNN module?

I use a web service (.asmx) in a module I'm developing based on System.Web.Services.WebService.

I did find some articles here:
http://www.dnnsoftware.com/wiki/page/web-services

But I'm not sure how current these methods are.

Best Regards,

Steve 

 

 

 

Steve

 
New Post
2/21/2015 4:22 AM
 

Steve,

Asmx webservices are a bit of a legacy approach.  I'm not aware of any good explanations of best practice for securing them for DNN.  When I built asmx services in the past, I would pass username/password or an encrypted application token in the SOAP header and build the encrypt/decrypt in a common library for my service and client code.  If you can use SSL between your service and client, you may not need to encrypt the security information.   Another approach is you could create an authenticate service as part of your asmx like this person suggests.

 

If you are using DNN7, I would suggest building your services as DNN WebAPI framework services because the security part for DNN is already built in.  I covered this topic pretty well in this video: Client Centric Module Development Part 2.  Although the rest of that tutorial is on calling these services from ajax, you could call them from your code behind too.

  

 
New Post
2/22/2015 4:33 AM
 

Hi Scott,

Thank you for your reply. I was considering a GUID which i could include encrypt/decrypt, but i will take a look at your videos on the DNN API first.

Steve

 
New Post
2/22/2015 7:37 AM
 

Hello Scott,

Thank you for reply.

I will try the DNN WebAPI approach. I'm using Ajax to make the calls so that should be perfect. I might come back here if i get stuck :-)

 

Thank you once again.

Best Regards,

Steve

 
New Post
2/24/2015 9:26 AM
 

Hi Scott,

I've changed my code to use the DNN Web Api, incorporating the security features mentioned in your client centric module development videos.

But on this page: http://www.dnnsoftware.com/wiki/page/services-framework-security

It says to use 'serviceFramework.getAntiForgeryProperty' on the data parameter of the Ajax call to include the anti-forgery token, there's an example:

data: serviceFramework.getAntiForgeryProperty({ NotificationId: action.NotificationId }),

Your example uses knockout to create the data, as i'm not familiar with knockout i can't see what's going on there.

So I tried using a variable which contains my JSON as follows:

data: serviceFramework.getAntiForgeryProperty(myjsonvariable),

But this doesn't work. i.e. the server side function isn't reached, no error was generated either.

So how should i wrap my JSON, which works without the call to getAntiForgeryProperty but doesn't work with it?

Also, finally, how can I best test that security is working? Use Fiddler to intercept the call and change the token, and ensure the call fails? I haven't used fiddler much, but before i invest a load of time on it, does that sound a reasonable approach?

Best Regards,

Steve

 

 
Previous
 
Next
HomeHomePremiumPremiumDevelopmentDevelopmentsecuring a web servicesecuring a web service



Try FREE
30 days money back guaranteed