Sorry if the question is asked before. I searched but i can't find a way to solve my problem.
I have a web api (i don't use owin or something like that). The api creates task from data with sent by application and returns the taskId and pageId to application to pass it as get/post parameter to website. After that, The application that integrate the web api, redirect to one of my web application's page to complete the task created by my web api. I have some security flows such as appid-password to control accessed application. But this has some security problem.
If a customer share the appid and password with another person, then appid password info could use by a disallowed application.
Here is what i tried to solve the problem,
I tried to get HttpContext.Current.Request.Headers["Origin"] info but the application that entegrate my web api must send the header and it could not solve the problem. Because same "Origin" header can be sent by bunch of applications. I try to use the HttpContext.Current.Request.Headers["REMOTE_ADDR"] or HttpContext.Current.Request.Headers["REMOTE_HOST"] and both of returns the IP address of customer's application's IP Address. And these are could'not solve my problem too. Because in one server there may be thousands of applications. I tried to solve the Dns from an IP address but i could not achieve this because the entegrated application may not registered or it can't be accessible by outside network.
What is the best way to solve this problem? Thanks for helps.
Related
I have coded a C# MVC5 Internet application and I have a Web API 2 web service that returns JSON data. I am retrieving this JSON data in an android application.
How can I add a feature to the web service such that only my android application can retrieve the JSON data? I am wanting to do this so that other web users cannot hammer the url and the web service will not send my data to unwanted applications and/or users.
Is this possible? If so, how should I do this?
Thanks in advance.
You have various ways to achieve this in fact.
For example, you can store a key in your android application and use send this key together with the request to your WebAPI. Your webAPI will than check if they key is valid and if it is, it will return the JSon.
However, there's no way to ensure that nobody else can request and get your data. For example by reverse engineering your android application and extracting the key, or by monitoring the network traffic and find the key in there.
You need to understand that there isn't anthing that guarantuees you 100% security.
See it as the following:
You have an open door right now, you can close it little by little, but closing and locking down is not possible. There will always be gap. A house also can't by made burglar proof, but you can make it very hard for a buglar to enter.
Go to this link Web Api. I have used the individual authentication for my web api. When you will register the user the response you will get is access token and use that access token as Authentication header in your ajax call if you are using Jquery ajax to call your Web Api. Refer this The OAuth 2.0 Authorization Framework. Hope this help you.
Are you looking for something like this?
http://httpd.apache.org/docs/2.2/howto/access.html
If you have other web server, there should be appropriate means to support such.
I have a challenge and I believe there is a developer smarter than me that can provide some insight.
I have a web service. This web service is written with ASP.NET MVC in C#. I want to allow developers to call this web service. When developers are writing code, I recognize that web apps typically run from localhost. When they call this service, I want to be able to identify if the request is coming from localhost. However, if I look at the IP address, its the IP address of their machine.
Is there a way for me to even do this? Clearly Request.IsLocal won't work as my web service is running on an entirely different machine.
When you call a web service, the browser usually passes the page in the Referer header. So you can check if that value starts with "http://localhost". Virtually anything in an http request can be forged (including this), so be careful what kind of decisions you make based on this data.
Without passing some additional data along with the request from the app, there's not going to be any way for you to know.
You'll only be able to get the IP address or Host name that was used to make the request to your Web Service and it sounds like you want to be able to find the Host Name (localhost) that was used to make the request to the app (which then triggers the call to the Web Service).
How will you then define local (from the perspective of your service)? You'd be better off setting up a development service on a different API end point instead of attempting to guess this.
All production level API calls can go to something like api.yourservice.com with all development level requests coming in via dev.yourservice.com.
You can then have two separate services or have your service read the URL being requested and differentiate based on this.
I have simple asp.net webservice has login method and its deployed on IIS server url is http://sitename.domain.org:9111/membership/membershipdir.asmx.
My network team created a SSL proxy url on proxy server (i think it is apache) for this web service site.Now webservice can access through proxy like this https://www.domain.org/webservices/spws/Membership/membershipdir.asmx.
It works fine but when I invoke the webservice method. the result window url showing on http://servername.domain.org:9111/Membership/membershipdir.asmx/Login
Now network team complaining the port 9111 still exposes to public for the login portion. something has to change in application. I am not understanding what should I change in application level.
I am also not understanding why results on showing with server name without proxy name?
Anybody have any clue?
Check out: What's the best method in ASP.NET to obtain the current domain? to always use the same domain the user made the initial request to.
Now, I'm not sure about the proxy server situation... if the proxy server is making any changes, it should be doing the opposite on the way back out... so I really can't speak to that problem... but, regardless, make sure you are using the original request domain by either using relative paths, or by the method in the Question linked to above.
I'm building a complex, public web service in WCF that send email to a specific address, similar to a contact form but with some features.
With jQuery I get the data from the textbox and with Ajax and json I send to the web service the strings to proceed at the send.
Now, is there a good way to make it secure?
I mean.. the service is public so someone can have access to it and starting to spam on this address. Can I restrict the users to use the web service only from the correct web site?
Thanks.
IF the WCF service is hosted in the IIS you can allow calls only from a specific IP address, look at the directory security settings under IIS.
By far the simplest way is to have your web service require some type of access key in order to run the operation.
Something simple like a base64 encoded GUID would work. It doesn't even have to change. Just add a parameter called "AccessKey" or something similar. Have your app pass that and let the service validate that it is good.
Another idea is to have the web service check the http headers to see if it came from the page you authorized to use it.
Neither of those are perfect. The first one means that your "key" will be inside the html you send to the client. The second one can be spoofed.
Personally, I'd probably not bother at this level and just log what the service is doing. If the traffic counts to the service start to exceed what you think it ought to be, then I'd investigate ways to mitigate it. Most likely, given that it's a service you won't see any issues.
Duplicate: This is the exact same question, from the exact same person, as Issue with Incorrect URLs in the WSDL of a .NET Web Service, and has the exact same answer. Let's please close this and merge it with the other.
We have installed an ASP.NET web site on a client's server. This site has a web service with a couple of web methods that are called by a Flash object in order to display a news feed. If you browse to their site (ex: www.domain.com), everything's working fine except the flash.
The issue is that when we browse to the .asmx, the header shows that the Host is a subdomain internal to their network (internal.domain.com). Obviously this doesn't resolve to any public IP when browsing from outside of their network. This causes the Flash to fail since the flash object is embedded on a page and is therefore running client side.
I checked the computer name on the server in question, and it doesn't even match "internal.domain.com" - it is something completely different. Where is it getting this information from. It is not coming from IIS, since we have no host headers set up, and the IP for the site is set to (all unassigned).
We either need to force the web service to run against a specific host, or we need to change something on the server so that it resolves to a valid public-facing host name. Any and all help is greatly appreciated!!!!
Web service host names are usually configured in the web.config when being consumed by .NET. When they are being consumed by flash you might need to go looking in the flash file. (my guess is that it is still configured for some sort of SIT environment.
I'm not sure of the details of this, but I've seen this complaint with respect to WCF. The answer had to do with setting the host headers in IIS.
It's IIS that passes the host name to ASP.NET or WCF, and it passes the host header when that is configured. If it's not configured, then I suppose it won't send that header as the "host name", even if the client sets that header in the request.