I have a website written in ASP.NET WebForms, which accesses web services that are written in ASP.NET WebAPI. For security, I closed port 8079 (web services) so that web services could only be accessed via the website, but that it would not be possible to request web services directly from the Internet. When I request a page on a website, through the Fiddler program, I see a request for a website, but I don’t see a request from a website for web services. Everything works well. But now I have made another website written in AngularJS and I want this website to also access my closed web services. Is this possible through AngularJS? Below is the request code for web services via ASP.NET website.
HttpResponseMessage response =
client.GetAsync("http://localhost:8079/api/values/5").Result;
if (response.IsSuccessStatusCode)
{
Task<string> data = response.Content.ReadAsStringAsync();
result += data.Result;
}
As a result, the site(AngularJS) and ASP.Net MVC Web Application should be available on the Internet, and web services (ASP.NET WebAPI) should not be available on the Internet.
Currently, the client accesses the web services directly, but it’s necessary to make the client access the web server and the web server access the web services
Even if you create another ASP.NET app (a kind of 'facade') that handles requests from the client, and invokes web services internally, this alone won't solve the problem:
If the facade accepts requests from any client and just sends them to the web services, it is not different from exposing the web services directly to the internet.
As #Andrei Dragotoniu pointed out, you have to secure your services by only accepting requests from authorized clients.
How to authorize access to web services
A common way of securing access to web services is JSON Web Token (JWT). The token contains encrypted claims that explain the identity (and maybe other aspects) of the client. Typically it works as follows:
A new token is generated on the server upon successful authentication of the client. The authentication can be either manual (a login form), or automatic (for example, with OAuth).
Once the token is generated, it is returned to the client. The client then starts attaching the token as an HTTP header to every request it sends to the web services. On every request, the web services validate the attached token.
This blogpost provides more information and examples of using JWT in C#.
API Gateways
The requirement of limiting access to web services to an internal network is not uncommon. A typical solution here is API Gateway.
(from Wikipedia) Gateway: a server that acts as an API front-end, receives API requests, enforces throttling and security policies, passes requests to the back-end service and then passes the response back to the requester. A gateway often includes a transformation engine to orchestrate and modify the requests and responses on the fly. A gateway can also provide functionality such as collecting analytics data and providing caching. The gateway can provide functionality to support authentication, authorization, security, audit and regulatory compliance.
More on API Gateways in this article. One of the most popular API Gateways is Kong.
Even if you deploy your web service in intranet, you cannot consume the web service from client browser (Angular or JS Applications).
One possible solution could be,
Deploy the web service in intranet web server.
Create a proxy web service in the edge server (they are both intranet & internet facing). Proxy web service should just expose the required methods by obscuring the original web methods.
Consume proxy web service from client-side applications.
Otherwise, client-side applications can never consume the intranet web services.
Optionally, if you create NodeJS, ASP.Net based web applications, it can be deployed on edge web servers that can talk to intranet web services and users (living in the internet) cannot access web services directly.
UPDATE:
Moreover, based on your code above, it looks like you are trying to consume web service from .Net Runtime Managed Code (ASP.Net MVC). Well, in that case, AngularJS will ajax to your controller-action. Then controller, in the edge server, can talk to any intranet web service. AngularJS need not talk to Web Service. It is straight-forward now.
"When I request a page on a website, through the Fiddler program, I see a request for a website, but I don’t see a request from a website for web services"
That statement is true in a very limited context, but the reality is much bigger than that.
The requests from a website to its own API can easily be seen by using browser tools for example ... hit F12 in any browser and look under the Network tab, this is something anyone can do to see what a website ( any website ) is doing.
You need to protect your API somehow. You can use something like OAuth2 or you could do it at server level. You can lock down a server to only accept connections from your website's IP address for example. You can also make it so that the server the API is on is completely locked down. You can lock down the API.
You just need to realize that you do have a security issue if you don't do something. The tech stack you use is irrelevant for this.
I am developing a project in Angular 4.0 and using c#.net web API as back-end.
Problem is, When I am running my application through browser, I am able to see web service call (get/post) through "Postman Interceptor". Which is not good for security. Is there any way to secure my webAPI call so that it will not be visible in "Postmatser" or fiddler like tool?
Is there any way to secure my webAPI call so that it will not be visible in [Postman or Fiddler]?
No. You're issuing requests from the browser. This means they will come from the visitor's pc, and everything that happens there can be intercepted by them.
You don't need obscurity, you need authentication.
In my project I have created an application in windows using C#.
In the application I want to connect to my web server (or domain) and send a request to it,
and then in my web server I want to create a page or a web application to answer the request !
For example I want to send a request like 'Name?' from my windows application,
then I should be able to get the request text in my web server (www.mydomain.com) and answer properly. (e.g. 'jack').
How should I do this !?
should I use chat server? (if so, isn't there any easiest way?)
Any other Idea?
Thanks in advanced.
I would recommend taking a look at the .net WebRequest class.
http://msdn.microsoft.com/en-us/library/system.net.webrequest.aspx
You should take a look at web service, I think that is what you want. Here is code project link http://www.codeproject.com/Articles/16325/NET-Web-Services-Concepts. And you should also take a look at WCF, that would also help you.
In my web service, how can I check the URL of the web site from where the web service call originated please? Thank you.
In your scenario I think you have a web application hosted in IIS and that web application is consuming asmx web services and you need to get the name of the page which called the service in the service implementation.
The ASMX webservices are not limited to access from the web sites. They can be accessed from the desktop applications as well which don't have webpage url. So in this context we expect to get the web page URL as is inside the web service implementation. You may get the IP address of the caller machine. But seems that is not enough.
So only way is to pass the name of the webpage from the calling code via parameter or http header.
I believe what you're asking is for the requesting URL of the Web service called.
webpage.aspx -- (calls ) --> MyWebService.asmx.
the referrer is webpage.aspx
Try using Context.Request.UrlReferrer from the webservice.
how can we use fiddler to check traffic of a web service(xml) between two web sites?
http://www.fiddler2.com/fiddler2/
i have created two subdomains for my web site.
for example my web site is like this :
www.site.com
and those subdomains are like below :
www.sub1.site.com
www.sub2.site.com
these sites are on a web server (vps) and i am waching them with my local system(fiddler has been installed on my local system).
www.sub1.site.com is calling the www.sub2.site.com web service.
is it possible to capture this web service data with breakpoint like http and other stuff?
i checked fiddler many many times, but could n't find how?
if not what is the XML tab in Fiddler?
really appreciate for answer and help
You can't use Fiddler2 for this. Fiddler2 is a web proxy that routes your browser requests through a proxy running on your own machine. So it only works if the "client" that is making the HTTP request is local. Your browser may, for example, initiate an HTTP request to www.sub1.site.com, but the call from www.sub1.site.com to www.sub2.site.com isn't one that will route through Fiddler2. Think of Fiddler2 as sitting between your browser and whatever site the browser is trying to reach.
If you have access to install Fiddler2 on the server (sub1), you might consider http://www.fiddler2.com/fiddler/help/reverseproxy.asp for some more complex scenarios. But then, if you have access to the server, there are other ways to monitor that may be better options (log files, as an example).