Last post Jun 10, 2013 05:37 PM by Illeris
Jun 10, 2013 01:40 PM|sheraz_aries|LINK
Jun 10, 2013 02:26 PM|kushalrdalal|LINK
One more thing you can do is you can ask them to provider special licence key and token with each request.
Depends on the token you can let them access the mthod or not instead of finding domain name.
You can find the host name or ip address of the caller but sometimes they use firewall or third party to host their service and then it would be static ip or in those cases very difficult to obtain the domain name easily.
Jun 10, 2013 02:41 PM|sheraz_aries|LINK
Jun 10, 2013 03:02 PM|kushalrdalal|LINK
You can use some kind of encryption and send key from client and at web service you can use the private key to decrypt it and then authenticate.
Jun 10, 2013 03:09 PM|sheraz_aries|LINK
Jun 10, 2013 03:20 PM|kushalrdalal|LINK
What you do is basically you send something like -
Say you want to send abc then you send encrypted value of abc encrypted by some key, say 123 so value of abc will become afff999.
Now your web service know the key is 123 and it will decrypt the afff999 with 123 key and get decrypted value abc.
Jun 10, 2013 03:27 PM|sheraz_aries|LINK
Jun 10, 2013 04:03 PM|kushalrdalal|LINK
You would pass only 'aff999'. Why you want to say Encrypted64byte('afff999').
Your service should know that you are using Encrypted64byte so then will decyrpt with that encoding.
Jun 10, 2013 04:49 PM|sheraz_aries|LINK
So if I pass ff999 then the same value can be passed by the attacker aswell and can get access to the web method as when attacker pass the value 'ff999' then again it would be decrypted on server side and would authenticate the service to return records.
Remind you the above i am quoting when the call is made from jquery as the code is viewable from html view source.
Jun 10, 2013 05:26 PM|sukumarraju|LINK
Digital certificates provides granular level of securing the service, as the client needs to attach the digital certificate with the certificate with the request to be authorised to consume service methods.
Note that even though configuring digital certificates seems to be painful, once it is implemented the process would be lot easier to secure the service.
Jun 10, 2013 05:37 PM|Illeris|LINK
Why not using IPSEC or other technical security methods to prevent unauthorized access?