asp.net - REST or SOAP WCF service on secure internal network NO SSL -

-

i have problem service writing.

we have webapp hosted on internal secure network.

there requirement provide service expose our web app business functionality client consume in order create native tablet app.

the mobile device use vpn onto network. access our webapp, user need use user name , password. ie. there no ssl. username , password stored in our db in custom set (no asp membership, etc).

now, have raised lack of ssl issue, has been shot down, , in charge of such matters feel security needed internal network enough.

i realise means app open internal user malicious behaviour inside network outside of app user group

so, raises issue when comes creating service in wcf. authentication without ssl appears quite fiddly. did manage find:

[yaron naveh's clearusernamebinding][1] http://webservices20.blogspot.co.uk/2008/11/introducing-wcf-clearusernamebinding.html

i felt solve problems until realised have alter plans offer restful service json, , have use soap.

still, fine until realised soap had bandwidth issues due envelope comes packet. worries me, service getting consumed mobile app on 3g, , there bandwidth limits.

so, without ssl being option (please don't otherwise), think using soap instead of rest here better option? should concerned bandwidth? (rows counts returned not exceeding 200, , smaller). how of overhead talking?

is there option wcf rest config can authenticate without certificate (using form of custom authentication)? preferable me.

the performance comparison between rest , soap web services discussed in detail in rest vs. soap. has rest better performance?.

you can implement custom authentication in wcf rest service, without certificates or secure transport. 1 option use binding similar following: 

<bindings>     <webhttpbinding>         <binding name="default">             <security mode="transportcredentialonly">                 <transport clientcredentialtype="windows" proxycredentialtype="windows"/>             </security>         </binding>     </webhttpbinding> </bindings>

http://msdn.microsoft.com/en-us/library/bb924478(v=vs.110).aspx

including microsoft caveat: “this mode not provide message integrity , confidentiality. provides http-based client authentication. mode should used caution. should used in environments transport security being provided other means (such ipsec) , client authentication provided wcf infrastructure.”

the following link provide comprehensive overview of custom wcf rest authentication solution: http://www.codeproject.com/articles/304877/wcf-rest-4-0-authorization-with-form-based-authent


Comments

Post a Comment

Popular posts from this blog

c# - How to get the current UAC mode -

-
can check current uac type set in device before running application through c#. i got know approach check whether current user administrator or not. but, need know uac type set (i.e. default/never notify) internal logic. is possible? please help. this article self-elevation , checking level program runs in. due security reasons i'm afraid won't able retrieve uac level set. http://code.msdn.microsoft.com/windowsdesktop/csuacselfelevation-644673d3
Read more

postgresql - Lazarus + Postgres: incomplete startup packet -

-
i've been building lazarus pascal program using postgresql on back-end. used work fine following lines opening db. dbconn:= tpqconnection.create(nil); dbconn.hostname := 'localhost'; dbconn.databasename:= 'dbhrs'; dbconn.username:='mizk'; dbconn.password:='123'; dbconn.open; if dbconn.connected openhrsdb := true else openhrsdb := false; but moment change localhost server's ip (on lan), program stops. no errors or warnings. have no clue happening. here related details may narrow down problem. the program i'm running workstation on same lan server. both machines run ubuntu 12.04 desktop i can access postgres db on server using pgadmin iii, guess it's not firewall issue. i have allowed postgresql ufw , ufw disabled. strangely, when firewall disabled, can ssh server terminal using workstation. when it's enabled, can't my biggest concern right why pascal program not working when i...
Read more

javascript - Ajax jqXHR.status==0 fix error -

-
$.ajax({ url: urlstring, datatype: "json", type: "get", success: function (data) { alert(data); }, error: function (jqxhr, exception) { if (jqxhr.status === 0) { alert('not connect.\n verify network.'); } else if (jqxhr.status == 404) { alert('requested page not found. [404]'); } else if (jqxhr.status == 500) { alert('internal server error [500].'); } else if (exception === 'parsererror') { alert('requested json parse failed.'); } else if (exception === 'timeout') { alert('time out error.'); } else if (exception === 'abort') { alert('ajax request aborted.'); } else { alert('uncaught error.\n' + jqxhr.responsete...
Read more