ASMX Web Services and XML Serialization
Hi,
I m developing a SCSF based smart client application using SOA architecture. Now i need to make my web service access secure when invoked from any of the client machine.
In order to do this, i want to put my web service over SSL, but i m not aware of the implications after its implementation & how secure it is to put a web service over SSL for a windows based application.
Now, i would like to know what are its drawbacks if any & how to use it over windows based application.
Thanks,
-AP
As for as security is concerned, just be sure to realize that SSL only secures the transport of information between the client and webservice. That being said, encrypting the traffic over SSL is a Good Idea.
There are a couple ways to accomplish this. From the perspective of a developer, you can get the SSL certificate installed in IIS and change the Urls of the clients to point to the new secure url (https://olduser/service.asmx). Be aware that if the domain name of the certificate does not match the url the client uses to connect (or if you let the certificate expire), the clients will start throwing exceptions. This makes it advisable to avoid using an IP address as the endpoint for your SSL webservices.
In some environments, that might not be possible, another alternative which I have used in the past, is to have the Network Department to purchase SSL appliances. If your webservice consumers are grouped in the same physical location (such as a warehouse), you can install an appliance on each end of the WAN link. This gets you the same thing as above, but you dont have to make development changes, and the cpu overhead of processing SSL is offloaded to the appliance.
Pushing webservice traffic over SSL is really a "first step" to security.
Hello Evan,
Thanks for you reply!!!
As you said that its good to apply security using SSL to a webservice but i have come across a issue in my findings as far as consuming SSL for a webservice is concerned. The issue is that when you browse to a HTTPS site, you sometimes get a dialog window asking you if you want to trust the certificate provided by the webserver. So the responsibility of accepting the certificate is handled by the user. Let's get back to the webservice scenario, if you want to invoke a webservice located on a webserver which uses SSL and HTTPS there is a problem. When you make the call from code, there is no dialog window popping up, and asking if you trust the certificate (luckily because this would be pretty ugly in server-side scenarios); probably you'll get following exception: An unhandled exception of type 'System.Net.WebException' occurred in system.dll
I'm yet to get rid of this issue in a pretty optimized manner. Can you let me know from your expereince if you have encountered such issues any where in past while consuming a webservices over HTTPS
Also, Is there a way to implement a dummy webservice consumption using SSL for testing which can later on be replaced by purchasing a certificate on hosting the application in production
Thanks,
Awaneesh
Yes, going against an expired certificate (or one with the wrong name) caused me some grief on a project a while back. There is a workaround however.
You can use the technique described in the following article to get around it.
http://support.microsoft.com/default.aspx scid=kb;en-us;823177
Regarding the use of test certs during development, take a peek at the following:
http://www.microsoft.com/technet/community/columns/insider/iisi0304.mspx#EFD
Evan