Forum

Search Home

1
2
3
4
5

Home

Premium

Development

securing a web service

2/20/2015 11:04 AM

Stephen

Joined: 7/29/2012

Posts: 403

securing a web service

Hi

Can anyone please advise me on the best way (or easiest way perhaps :-) to secure a web service for use from a DNN module?

I use a web service (.asmx) in a module I'm developing based on System.Web.Services.WebService.

I did find some articles here:
http://www.dnnsoftware.com/wiki/page/web-services

But I'm not sure how current these methods are.

Best Regards,

Steve

2/21/2015 4:22 AM

Scott Wilkinson

Joined: 5/17/2013

Posts: 118

Re: securing a web service

Steve,

Asmx webservices are a bit of a legacy approach. I'm not aware of any good explanations of best practice for securing them for DNN. When I built asmx services in the past, I would pass username/password or an encrypted application token in the SOAP header and build the encrypt/decrypt in a common library for my service and client code. If you can use SSL between your service and client, you may not need to encrypt the security information. Another approach is you could create an authenticate service as part of your asmx like this person suggests.

If you are using DNN7, I would suggest building your services as DNN WebAPI framework services because the security part for DNN is already built in. I covered this topic pretty well in this video: Client Centric Module Development Part 2. Although the rest of that tutorial is on calling these services from ajax, you could call them from your code behind too.

2/22/2015 4:33 AM

Stephen

Joined: 7/29/2012

Posts: 403

Re: securing a web service

Hi Scott,

Thank you for your reply. I was considering a GUID which i could include encrypt/decrypt, but i will take a look at your videos on the DNN API first.

Steve

2/22/2015 7:37 AM

Stephen

Joined: 7/29/2012

Posts: 403

Re: securing a web service

Hello Scott,

Thank you for reply.

I will try the DNN WebAPI approach. I'm using Ajax to make the calls so that should be perfect. I might come back here if i get stuck :-)

Thank you once again.

Best Regards,

Steve

2/24/2015 9:26 AM

Stephen

Joined: 7/29/2012

Posts: 403

Re: securing a web service

Hi Scott,

I've changed my code to use the DNN Web Api, incorporating the security features mentioned in your client centric module development videos.

But on this page: http://www.dnnsoftware.com/wiki/page/services-framework-security

It says to use 'serviceFramework.getAntiForgeryProperty' on the data parameter of the Ajax call to include the anti-forgery token, there's an example:

data: serviceFramework.getAntiForgeryProperty({ NotificationId: action.NotificationId }),

Your example uses knockout to create the data, as i'm not familiar with knockout i can't see what's going on there.

So I tried using a variable which contains my JSON as follows:

data: serviceFramework.getAntiForgeryProperty(myjsonvariable),

But this doesn't work. i.e. the server side function isn't reached, no error was generated either.

So how should i wrap my JSON, which works without the call to getAntiForgeryProperty but doesn't work with it?

Also, finally, how can I best test that security is working? Use Fiddler to intercept the call and change the token, and ensure the call fails? I haven't used fiddler much, but before i invest a load of time on it, does that sound a reasonable approach?

Best Regards,

Steve

Page 1 of 2

1

securing a web service