Private webservice?

Re: Private webservice?

Hi Hugh,

"Hugh" <hyoo@softhome. net> wrote in message
news:u4Um40iqDH A.1444@tk2msftn gp13.phx.gbl...[color=blue]
> Hello everyone,
>
> I'm reasonably new to webservices, and have been playing around with
> creating one in VS .NET, and then writing another app, and adding a web
> reference to it to communicate with my web service. What I was wondering,[/color]
is[color=blue]
> if someone got the URL to this web service, are they free to use it? I'd
> like to be able to create one for private use, to post data to my website.
> Is this possible?[/color]

If you create a web service on a public web server, then anyone else can
see and use that web service, yes. Googling "web service security"
(especially in Google Groups) will give you some ideas about how to deal
with this. Be warned, however, this is a complex subject and there is not
much out-of-the-box support for this kind of think in .NET 1.x.

Regards,
Dan

Re: Private webservice?

"Daniel Pratt" <kolREMOVETHISk ata_is@hotmail. com> wrote in message
news:u%23MUYAjq DHA.688@TK2MSFT NGP10.phx.gbl.. .[color=blue]
> Hi Hugh,
>
> "Hugh" <hyoo@softhome. net> wrote in message
> news:u4Um40iqDH A.1444@tk2msftn gp13.phx.gbl...[color=green]
> > Hello everyone,
> >
> > I'm reasonably new to webservices, and have been playing around with
> > creating one in VS .NET, and then writing another app, and adding a web
> > reference to it to communicate with my web service. What I was[/color][/color]
wondering,[color=blue]
> is[color=green]
> > if someone got the URL to this web service, are they free to use it? I'd
> > like to be able to create one for private use, to post data to my[/color][/color]
website.[color=blue][color=green]
> > Is this possible?[/color]
>
> If you create a web service on a public web server, then anyone else[/color]
can[color=blue]
> see and use that web service, yes. Googling "web service security"
> (especially in Google Groups) will give you some ideas about how to deal
> with this. Be warned, however, this is a complex subject and there is not
> much out-of-the-box support for this kind of think in .NET 1.x.
>
> Regards,
> Dan
>
>[/color]
Thanks Dan, appreciate your help.

If I was to implement my methods by including username and password
arguments, and get the client application to pass these credentials each
time it calls a method from the webservice, would this be secure enough?

Also, what are the chances of people actually finding a webservice on a
public server if its location is not published? Would search
engines/crawlers be able to pick it up?

Cheers, Hugh

Re: Private webservice?

> If I was to implement my methods by including username and password[color=blue]
> arguments, and get the client application to pass these credentials each
> time it calls a method from the webservice, would this be secure enough?[/color]

Practically yes, if you use SSL and check the server cert, passing the
credentials is a decent way.
[color=blue]
> Also, what are the chances of people actually finding a webservice on a
> public server if its location is not published? Would search
> engines/crawlers be able to pick it up?[/color]

I think VS.NET publishes the locations (disco files?), and there is some
kind of auto-detection available. I'm not sure if that's only for machines
with VS.NET installed though. Search engines might grab them if there was a
link to it. Also, if you have a way to browse directories, people could see
the .asmx files.

You might want to look into the Web Service Enhancements (WSE, search MSDN).
They have some security enhancements that might help you out.

-mike
MVP

Re: Private webservice?

On Fri, 14 Nov 2003 10:33:37 +1300, "Hugh" <hyoo@softhome. net> wrote:
[color=blue]
>Hello everyone,
>
>I'm reasonably new to webservices, and have been playing around with
>creating one in VS .NET, and then writing another app, and adding a web
>reference to it to communicate with my web service. What I was wondering, is
>if someone got the URL to this web service, are they free to use it? I'd
>like to be able to create one for private use, to post data to my website.
>Is this possible?
>
>Cheers.
>[/color]
If they're all on the same box, and the client has to get the WSDL file, why not
set the target machine has http://localhost/... ??

Also, your service could probably get the peer address...

/steveA
Steve Alpert
my email Fgrir_Nycreg@vq k.pbz is encrypted with ROT13 (www.rot13.org)
-------------------------------------------
NOTICE OF CONFIDENTIALITY
-------------------------------------------
The information in this email, including attachments, may be confidential
and/or privileged and may contain confidential health information. This
email is intended to be reviewed only by the individual or organization
named as addressee. If you have received this email in error please
notify IDX immediately--by return message to the sender or to
security@idx.co m--and destroy all copies of this message and any
attachments. Please note that any views or opinions presented in this
email are solely those of the author and do not necessarily represent
those of IDX. Confidential health information is protected by state and
federal law, including, but not limited to, the Health Insurance
Portability and Accountability Act of 1996 and related regulations.