Iam writing a Phone App where the end user should be able to access their own personal messages and other personal content.
Does anyone have some good ideas of how to create a service like this, should i use Soap or Rest, should i simply send the username/password with every request or ?
What would be the best choice for a service i would like to access from all three platforms and that only returns information specific to the authenticate user.
As a suggested alternative to WCF that's at least worth taking a look at, ServiceStack, an open source REST Web Services Framework, is well suited for use in a mobile app and it supports the Mono platforms. It also has built-in support for user authentication. At the very least, it offers a JSON serializer that performs very well.
There's a Wiki for ServiceStack here.
I don't know what the support is like for MonoTouch / MonoDroid, but WCF supports secure services without adding username/password to every request manually (it actually does, but it includes it in the headers).
See this blog post for a great starting point for using WPF Custom Username/Password Validator: http://blogs.msdn.com/b/pedram/archive/2007/10/05/wcf-authentication-custom-username-and-password-validator.aspx
Related
My Google-foo is failing me here... most likely a terminology thing.
Basically, I'm making a desktop (and likely mobile) application that connects to a REST API that returns JSON. I've created a C# class library that handles the the data querying in my local project however this would expose my API key if I were to publish it.
I would like to know what are the appropriate options for simply running a small service in Azure that takes a web request, queries the API and passes the JSON response back. Something lightweight, decently scalable.
Is this something a web role or worker role is good for? Is this something I really should learn Node.js for?
I asked a similar question a few years back: Keeping a secret key secret with Amazon Web Services
One reasonable solution is to build a simple service that returns the headers and url to use when communicating with the authenticated service. Your API key remains secret because it only lives in your service, but the clients can leverage the API key by getting the encrypted request from your service and then making the request for the actual work.
I haven't personally looked into the Azure API App Service, but a brief browse of the main website suggests that it, too, may be relevant to your interests. :)
Check out Azure Mobile Apps. Azure Mobile Apps is a "backend as a service" platform. With Mobile Apps you can easily store information into a SQL Database and expose custom API methods. It is a great place to start and has SDKs for connecting iOS, Andriod, Xamarin, and HTML apps.
As for security, the Mobile service has options to protect the data from allow anonymous access to requiring each user to authenticate.
I'm developing WCF Rest JSON service for Android and IOS Mobile apps. I need to provide some security to this..I gone through many Articles but most of them using Certificates.. Could anyone suggest which is the best and built in way to secure the service..
I would recommend the use of OAuth (Since you are on multiple mobile platforms).
It does not use user/password authentication, you instead include OAuth inside the HTTP header.
Here is documentation and sample implementations;
http://blogs.msdn.com/b/odatateam/archive/2011/01/20/oauth-2-0-and-odata-protecting-an-odata-service-using-oauth-2-0.aspx
http://www.codeproject.com/Tips/372422/Secure-WCF-RESTful-service-using-OAUTH
http://www.codeproject.com/Tips/817102/Consuming-OAUTH-Enabled-Restful-WCF-Service-using
I am developing an android application to accommodate some desktop software that I created. I would like for the user of the mobile app to have to verify their identity through authentication. Basically the web service will have to act as a central hub to both authenticate and hold information that the android app will need. The way I think it should work is to
-Set up a central web service
-Allow user to create account from desktop client using email/password
-The desktop client will send the information to the webservice that the android app will need.
-when android app is authenticated it will then retrieve the data it needs that was posted from the client.
So basically the service will need to be able to send and receive data.
I will only be using .net (either C# or vb.net ) for the service, so this leads me to a couple of questions:
Should I be using WCF for this? If so should I create a WCF Service library or WCF Service application?
Should I be using the Sign Sign on service approach?
The web service doesn't need to be fancy it just needs to get the job done. Is their any boilerplate project templates or projects out their I could use to help build a foundation?
I recently discovered SudzC.com which generates classes and methods for Objective-C from the wsdl data of a .net web service, and I'm fairly sure it also does Android.
I have a huge catalog of fairly 'old' web services which pre-date WCF and they are currently working perfectly.
I should point out though that the SudzC service only shows you what it can do for you for free - to get the code you have to pay ~£20 for a one year pass.
We had something similar where I worked. We had to put together an Android app for the company. If you are on .net 4.0 or newer, you can take advantage of theWebApi. It can return json or xml. So, that means any platform can utilize it (desktiop, android, etc...). I found it extremely easy to use, with very little overhead.
I'd like to write a console program in C# that posts a Tweet to Twitter. I've never used the Twitter APIs before and don't know anything about how their authentication works. I found an API library called Twitterizer, but it seems geared towards web applications and wants the user to logon with a web browser. All the API docs on Twitter's website seems geared around this scenario as well.
Is it possible to access the Twitter APIs using a console app with no web browser access? I'm perfectly fine hard coding in the name and password for the Twitter user I want to post under as well. Thanks!
Mike
You'll need to use OAuth for authenticating in twitter.
Then use regular HTTP Request to use the twitter JSON-based API.
Here you can find a good article about OAuth, Twitter and console applications.
Also take a loot at linq2twitter lib. From it's documentation;
The Twitter API is built using
Representable State Transfer (REST).
Wikipaedia defines REST as "...a style
of software architecture for
distributed hypermedia systems...",
but I'm going to be so bold as to try
to simplify what that means. In
practice, REST is a Web service
protocol built upon Hypertext Transfer
Protocol (HTTP). You use the REST Web
service by making an HTTP call with a
URL and getting text back in some
form, which is often XML or JSON. So,
if you were to write code that made an
HTTP request with the following URL:
http://api.twitter.com/1/statuses/public_timeline.xml
You would get back an XML document
with all of the Twitter statuses from
the public timeline, which is a
snapshot in time of the last 20 tweets
at the time of your request. Go ahead
and open your browser, copy and paste
the URL above into the address bar,
and see what you get back.
I couldn't find any decent information on the web on how to do this, so I decided to write my own blog post with all the details.. Enjoy!
http://blog.kitchenpc.com/2011/01/22/rise-of-the-twitterbot/
of course you can use anything to connect to Twitter via RESTful api.
you should use oauth, and set up your application in http://dev.twitter.com, then you should read all articles listed in documents, you must specify your app as Client but not Browser so user input a number to get through authentication.
you can use many libraries so that you can save your time, all are listed in the documents
and be CAREFUL, you should not use Twitter's own api console which is buggy (as i know parameters somtimes can't be parsed), you should use APIgee instead which is powerful and stable.
if you want use basic authentication, you should use api proxy (one famous is twip), if you just need only one single C# apps, you must code by yourself:
you should use given username and password to login twitter, parse cookies passed
use normal oauth to get temporaly access token url.
use cookies got from step 1, emulates form submit to allow your apps, capture PIN code
use pin code to finish oauth.
MOST IMPORTANT, you must store access token in client's machine so next time you can bypass above steps
Just wrote a Twitter Bot in C#. This is currently posting tweets to #valuetraderteam.
https://gist.github.com/sdesalas/c82b92200816ecc83af1
The API component in the GIST below is less than 500 lines, only dependency is Json.NET, you'll need to download the latest DLL for either x64 or x86 (depending on what platform you are targetting) and include as a reference in your project.
There is an example at the bottom of the page of how you can make a tweet from a console application
Hopefully this is useful to some other people out there.
I need to call a .NET SOAP webservice in a secure way. It must be secure in such a way that others can't call the WebService methods, and also it should not be possible for "the middle man" to understand the content of the messages.
The caller will also be a .NET webapplication installed on another IIS.
I can design the webservice methods as I want, so no restrictions there.
I have been researching HTTPS/SSL with certificates, but I don't know if it actually solves my problems in a good way? For example, it would be anoying if the certificates has an expiration date, although it's not a showstopper in any way.
So how would I go about this in a good way..?
Thanks for any help.
As #BrokenGlass said, SSL only encrypts the traffic between points. It doesn't handle securing individual functions from usage without authorization. Here is a good article on just such a topic using SOAP headers:
How to: Perform Custom Authentication Using SOAP Headers
This can be mixed with any form of authentication except Windows Integrated. To use Windows authentication, you'll need to have a separate library which accesses the Active Directory through the DirectoryServices namespace.
Assuming you control the infrastructure then keeping the server that is providing the web services behind a firewall so it's accessible only from the web servers and implementing IPSec should provide the necessary security.
From the software point of view, this article contains all you need to know about protecting the service interactions.
HTTPS/SSL works fine. Just make sure to renew your certificate in time to avoid warnings and messages for your client.
I need to call a .NET SOAP webservice in
a secure way. It must be secure in
such a way that others can't call the
WebService methods, and also it should
not be possible for "the middle man"
to understand the content of the
messages.
HTTPS/SSL only solves the "middle man" part of what you want to achieve. You would still need proper authentication in place on your web service. You could do this i.e by using the built in Forms authentication and providing a Login method that returns your authentication ticket.