I need to create a web service to receive feedback from users from a "Was this webpage helpful to you? [Yes] [No]" JavaScript widget that we will put at the bottom of all of our website's webpages. The goal is to have one web service accept requests from all of the websites and then the web service will insert data from each call into the database.
The problem is that I can't seem to find a way to secure pure JavaScript calls to the web service. I want to use C# ASP.NET for this, so my assumption is to use WCF to create the web service. How can one secure these calls solely from JavaScript to ensure that they are legitimate? Or is there a better architecture to consider?
Related
Introduction
We are in the beggining of the development of a new web client for our current web application.
And we will take the chance to build a REST WebApi to access our assets (to be consumed by third parties, and also our new web client)
We're considering OAuth, Service Quotes, Application permisions, etc for the WebAPI
We want to "eat our own dogfood", so the new webclient must use the webapi...
Important: The webApi and the webClient will be hosted in the same server
Questions
A simple use case would be "Get the menu page links"
For the web client which of these 2 approach would you choose?
a) Generate an html with a Js webApiCall inside it to be called from client web browser to get the available menu links for the user. = (2 round trips: 1 for the html/aspx + 1 for the api call MenuGetAvailableItems)
b) Generate an html with the data menu links already populated (webApi MenuGetAvailableItems consumed internally in server side) = (1 round trip for html/aspx + an API internal call..)
If you choose option 1B, Is it possible to avoid the http overhead by consuming the api from the same server and mantain the security, Quotes, etc? I mean, can we use some WCF mechanism or other to communicate this 2 webs instead of making an http call to localhost...?
Thanks for your comments
Q 1
regarding option a - I would avoid calling Web API from the web page, you will start to run into problems with CORS. Also, what if you want to use authentication to access the Web API service, how are you going to send a user name and password from the web page!
regarding option b - you certainly can consume the web api service from inside your web app.
Q 2
I don't understand your what you are asking.
If your primary purpose for building a web service is to allow a third party to interact with you, you are going to want build just the services that need to be exposed.
In general, "eating your own dogfood" might not be the best reason to use Web API where standard calls to the database would be more appropriate. You going to have two applications running, when all you really needed was a data tier in the web app.
It sounds like you are going to end up with a sprawling Web API app that will need new services every time you want to add something to your site.
Is it possible to create a website (hosted locally on my machine is fine for now) using a WCF Service Application?
By "web site" I mean allow an HTTP call from a web browser to my service and have the service return an HTML page that the browser can then render/display.
I am doing something very similar using a WCF based REST service. I have a WCF service that is accessed only from a web browser to download images. If you browse to 'http://www.MyFooImageService.com/100', it will lookup from the database an image with ID 100 and serve it up to the user. I use it to serve images from WCF service for the purpose of sending (user defined) emails with embedded images.
I used this guide with great results: RESTFUL WCF Service Step-ByStep. Check it out and see if a REST based WCF service is what you are looking for.
No, it doesn't quite work like that. WCF applications are service applications. There is no GUI interface or web interface or any kind of interface at all.
What you do is you create a WCF service that does some sort of function. Lets say you create a method called StoreName that stores your name into a database. Keep it simple. WCF services can be hosted in a variety of ways, depending on how you plan to use it. But to keep it simple, lets say you host the application using IIS.
Now this WCF application has no interface for interacting with it. You need to create an ASP.NET application (or it can be PHP, or jQuery if you prefer). It might have a text box and a submit button. Once the submit button is pushed, the ASP.NET application (or jQuery or PHP) makes an ajax call to your WCF service, passing it in the name as a POST parameter. The WCF service then does the work of storing it in the database. Execution then returns back to your web application.
This is a general overview of how this works. I hope it helps!
A website involves:
1) A user requesting HTML from somewhere
You can proxy pass a simple HTTP Get request to a WCF service hosted in a console app (or hosted in IIS), and configure it to return an HTTP request of content type text/html. Then the user would see a website appear in the browser.
But WCF is not a good fit for this. Especially if it's a simple HTML page. Others have said ASP.NET is better for this. And that's true. But node.js or PHP or pretty much anything that isn't .NET is MUCH better for this.
2) A user uses the web page to interact with server processes
This involves a user clicking a button or moving a mouse, or anything, and then that results in the web page (actually a web app at this point) making AJAX requests to one, or several server(s).
WCF is quite a good fit for this.
I have an web application built using RESTful services (JAX-RS).
There are REST calls, and simple JSPs with js files to handle data.
Now I want to implement authentication and authorization in service. What I did earlier was to implement simple filter and inside each service check for #HttpRequestContext for if session has user object. Since it I want to expose service to say, external webapp, I will have to hard code system as there is no standard.
I feel this is not good design. Is there a design pattern to solve this common issue ?
I have an issue that I am seriously struggling with.
I have a website, and a separate WebAPI which I want to be able to authenticate against each other. I was thinking that forms authentication would be best here. However, on my website, how do I go about calling the forms authenticated webAPI via a jQuery AJAX call?
Does anyone have any links or suggestions?
There is a discussion in this blog post on mixing forms authentication and basic authentication in Web API. You may be able to leverage some the principles in this article although it was tested with the Web API's residing on the same server as the web application.
If you keep the Web API and web application on separate servers your web application will run into cross domain issues and will have to support JSONP in your Web API. A possible work around for your website is to create a Web API locally on your web server which is just a facade to the Web API on the remote server. You incorporate the standard security methods on the local Web API, using AuthorizeAttribute, which in turn just calls your the Web API on the remote server. You can incorporate whatever security method you want to have for external users on the remote Web API.
I have two questions I hope I can get an answer for with regard to my service oriented application
I am creating a service oriented application where controls have no events, it's all done by calling services... that means the service url is written in my jQuery code, but this seems somehow not nice.... It's like what is the best option to save service urls?! I feel it's hard to maintain and not secure when it's written inside the page or inside javascript referenced file.
I am talking to a hosting company and they told me that I can host this application services on cloud server and the application on another servers.... not all in the same server, but my application services are self hosted, I mean the services are inside the application.... so to make things work as my hosting company wants, shall I host the restful services in IIS or how exactly?
Service URL must be in your page or script source file. It can be local address unless you are using cross domain calls and JSONP - cross domain calls requires absolute address. It is the same as any other web technology. If you want navigation to other page, you must provide URL. If you want some picture or css file you must provide URL. Security is up to you.
This will be the problem of cross domain calls. Normally JS calls can be done only to the same domain where the page is exposed. Once the application server is exposed on different domain name your calls will not work. To avoid that you must use JSONP (WCF 4 has support for that). Exposing rest services consumed by your application from self hosted application is strange. REST services are consumed by your clients - they are front-end services and should be part of your application hosted on front-end web server. Your back-end application server should not host anything directly accessible by your clients.