I've got a WCF service hosted on Windows Azure and a Windows 8 app that currently consumes data from the rest based WCF service.
The service is hosted at abc.cloudapp.net and although currently anybody can access it, I'd like to limit access to users of my app only.
I can't ask users to enter a username and password and I also can't store encryption data in the app as I can't be sure that my Windows 8 App will be obfuscated.
SSL seems to be the only way to go - however the setup of the SSL certificate requires a CSR which I don't believe can be applied to a service hosted on azure.
I'm looking for a step by step guide to securing communication between the app and the service as well as preventing unauthorised access.
Thanks!
REST service works with the HTTP standards. SSL is default mechanism to ensure data transfer with security. Authentication is an implementation question.
Two links to help you with development:
SSL on Azure
REST based authentication
Regards.
Related
I have several web services that I want to make available to clients. My clients are split into two groups:
users using a web browser (I serve a web page that uses javascript + AJAX to request data from the web services)
applications (e.g. server app pulling data into a client's system)
1) I can solve the former by exposing my web services to external users using the application server and I can use the identity server to authenticate access (haven't worked how to do this out yet).
2) The latter is nicely satisfied by using the API manager. I can happily tell clients to log in to the API manager and subscribe to APIs. The APIs I create are proxies for the web services mentioned in 1).
I know that an API I create in the API manager can include a username and password for accessing the proxied web service. Is it possible to let an API proxy a web service that is authenticated using the identity manager? Sorry I'm reading documentation and struggling to understand if I can do this. Thanks
". Is it possible to let an API proxy a web service that is
authenticated using the identity manager? "
Currently APIManager supports the service endpoints which are secured using basicauth/usernametoken.
If you use identityserver to secure you service, using any other mechanism, that wont be supported by APIManager.
Stodge,
Default API manager authentication mechanism is Oauth. it uses Oauth token mechanism to authenticate all APIs.
Please refer [1],
Here the authentication component also sits in the AM. This can be delegated to a different AM instance if required.
Hope this helps.
[1] http://docs.wso2.org/wiki/display/AM140/Token+APIs
I need to find out what's the best way of securing a WCF web service I'm writing. The service will be hosted internally and will perform checks against Active Directory and a third party database.
The service will be called by a public-facing webpage on a different server (a sign up page) and nothing else will be able to access it (due to firewall rules). The web page will NOT require credentials to access it.
The service will take a username and another field and check to see if they're an existing AD user. If they are, it will check to see if they have a personal (non-work) email address in the third-party database. If not, it will ask them to specify one.
Website <-> Service <-> AD/Database.
If these firewall rules are in place, do I need to go about securing the service?
These codeplex application scenarios might help you configure what you're trying to achieve:
Internet – Web to Remote WCF Using Transport Security (Trusted Subsystem)
Intranet – Web to Remote WCF Using Transport Security (Trusted Subsystem, HTTP)
This guide is well put together defiantly something to look into it covers all situations including yours.
http://wcfsecurityguide.codeplex.com/releases/view/15892
I have separate layer with WCF services.
And I have sharepoint website.
The aim to allow login for mobile devices to WCF layer and in the same time to sharepoint web site.
Sharepoint will be used like secured database.
I need somehow to check user when he will login to WCF layer and the hard part to authenticate him in SharePoint website.
I need any help because I really don’t know a lot about this topic. Will appreciate any answers
Your WCF service will not connect to the web pages of the SharePoint site, it will connect SharePoint's web services.
Mobile devices are limited in the authentication they support. Windows authentication may not be supported. So basichttpbinding using basic authentication over SSL is probably the best option. Send the username and password as part of the call, then you can use this username and password in the web service call to the SharePoint web services.
How authentication in general (Mutual Authentication as a special case) works in MSDTC and how to configure Mutual Authentication on MSDTC??
I've a custom application (archival solution), a windows service which on a configured time fetch data from online database and dumps to a back-end archival database (Ideally online and back-end DBs are located on different machine).
I am using TransactionScope and have configured DTC on client and host machine with no authentication and it's working fine. However, our client requires us to not use no authentication mode and put some authentication for MSDTC. I've decided to use mutual authentication though I am not very much sure how it works and how to configure it?? Any help would be appreciated.
We are developing an app that consists of a web server that hosts a web service (amongst other things) and a client that will be communicating with that web service. Both the client app and the server are expected to be used within a corporate firewall. This application will be packaged up and deployed to organizations across the world—so it needs to be flexible enough to work in multiple types of environments.
My question revolves around web service authentication and what is appropriate for real world scenarios. I know some companies have proxy servers that require a separate authentication. How often is this a requirement across organizations? When does the proxy server force the user to authenticate (can you access internal sites without authenticating.. is the authentication for only external sites)?
Reason I ask these questions, is I’m not sure what kind of capability we should build into our client application for authentication to the web service. By default, we are taking the current user credentials and passing that up to the server. Do you think this is sufficient? In a case where a company will require some form of alternate authentication for internal access, this will not work. My question revolves around this last case—how often does it happen? Why would a company force alternate credentials for internal access?
Thanks!
Why not make it configurable? Further, use WCF and you have the ability to configure just about anything you might need, in most cases without changing your code.
If Internet Explorer can reach a site through the proxy server without prompting the user, your call to the web service should "just work". If the user is prompted by IE, you'll need to put together a way to fill in the proxy server authentication information.
I've run into quite a few problems getting web services rock solid, but never had a proxy server authentication issue.