I have a question regarding if it is possible to hide inputs to a web-service method.
Lets say that the fourth parameter takes a password as input, and we want this input only to be used on the client side.
The function has 4 input parameters, and is there any way possible to still have all the input parameters to the function but make the fourth parameter invisible when accessing the .asmx file through the web-browser? This is to eliminate users trying to access the service and trying to input random data.
EDIT: To place this in an example.
We have an iPhone application, when a user makes use of a function, some parameters are sent to the web-service along with the fourth parameter that should contain a key of some sort to validate that the user is on an actual iPhone using the application and not someone accessing the web-service trying to access data.
public someVariable someFunction(someVar parameter1,someVar parameter2,someVar parameter3,someVar parameter4)
{
if (key.isMatch(parameter4))
{
The user is on an iPhone using the app : Proceeding.
}
else
The user is not on an iPhone, cancelling function.
}
you can prevent calling your method from webbrowser,by extending SoapExtension and getting extra information as soapheader ,that just can be send by enduser app
have a look to this Using SOAP Header and SOAP Extensions in a Web Service
The interface that you are using was not supposed to be used for anything but testing.
If you need to use it on production you should rather implement your own page, so the TextBox for parameter 4 would be masked.
Related
I am developing an asp.net mvc 6 application, and as part of the application we will send out emails, which contain a link that a user can click on that sends them to a particular action method.
An example of an emailed link would be
http://identity.platform:7000/account/register?emailinvitation=true&email=yerg#test.com
Which would then go to the AccountController Register action method:
Register(string userName, bool emailInvitation=false, string email="" )
What I would like is to do a Base-64 encoding of the url, so the user is not then tempted to manually change any of the parameters, so then we have a link like
http://identity.platform:7000/account/register?url=ZW1haWxpbnZpdGF0aW9uPXRydWUmZW1haWw9eWVyZ0B0ZXN0LmNvbQ==
So the flow in my mvc application would be
receive the request
check if there is a url parameter that needs decoding
if so decode and send on to the appropriate controller/action method
My question is, whereabouts should I be intercepting the request and decoding it? Should this happen in the routing, or somewhere later? How do I then redirect to the action method with the appropriate parameters
On the server, generate a GUID for the specific invite, and send that in the email instead of the params.
You will also need an overload for the Register action method which accepts the GUID string instead.
Register(string guid) {
}
It will fetch the linked details (e.g. email address) from the data store and then proceed as per your normal process.
Unlike base64, there's no way for anyone to reverse it and discover the parameters, and it's hard for the user to guess another valid GUID. There's no need for you to worry about encoding and decoding them, and you can easily make them one-time-only tokens, which may be helpful to your business process. Another bonus is that you don't end up with sensitive data like email addresses in your server logs or user's browsing history, or transmitted in the clear over HTTP (as per your example URL).
I am integrating a .Net application with Work-front, I am supposed to create a new user in work-front from API. I have tried the steps mentioned in the link and my code https://{mycompany}.attasksandbox.com/attask/api/user?updates={emailAddr:testuserAPI#domain.com,firstName:testuser,lastName:API}&username=myname#domain.com&password=password&method=post
From my console application I get internal server error 500. From fiddler I get parse error.
https://{mycompany}.attasksandbox.com/attask/api/5.0/user?updates={"emailAddr":"testuserAPI#domain.com","firstName":"testuser","lastName":"sample","roleID":"testrole","password":"pwd123res"}&method=post&sessionID=sdfdsdf1
Above code gives unrecognized URI format: too many parts - exception
Though my requirement is to authorise using API key, I was trying possible ways of achieving it.But I am not able to create in any of the ways.However, I am able to create from UI, which confirms my ID has rights to create user. I did look into API explorer and could see named functions,but whats the approach?Is there any documentation for these complete steps? My search was in-vain. Please suggest as I am new bee to workfront. Thanks in advance!
Update 1:
I was able to create a user via the API authorising by both API key and sessionID. The parameter I missed to pass is username (not necessarily an existing username). My code is -
https://{mycompany}.attasksandbox.com/attask/api/user?updates={"firstName":"Test","lastName":"API","username":"TestAPI#domain.com","emailAddr":"test2#test.com"}&method=post&apiKey=t---------------------u
My first step is resolved. There are 2 more steps which I need to perform. Calling named action - assignUserToken. I tried the code as below and it didn't work
https://{mycompany}.attasksandbox.com/attask/api/5.0/user/ID=4556ffs3324?action=assignUserToken&apiKey=t---------------u&method=put
ID is value returned while creating a user. Error returned is -
{"error":{"class":"java.lang.IllegalArgumentException","message":"null objCode"}}
Can you share the syntax of calling this named action?
Hi Your call has a few things wrong with It
1st you are calling
api/5.0
this needs to be
api/v5.0
2nd you are calling
api/v5.0/user/ID=4556ffs3324
it should be
api/v5.0/user/4556ffs3324
Other then that I dont see anything else wrong with the call.
Creating a user via API is a 3 step process as mentioned in the link but it doesn't have syntax. The syntax and steps are as below.
Create user -
https://{yourcompany}.attasksandbox.com/attask/api/user?updates={"firstName":"Test","lastName":"API","username":"TestAPI#domain.com","emailAddr":"test#domain.com"}&method=post&apiKey=-----0l
This would return a uniqe ID on response. Use this ID value for next step.
Assign userToken -
https://{mycompany}.attasksandbox.com/attask/api/v5.0/user/12345?action=assignUserToken&apiKey=d---l&method=put
ID value is 12345. This would further return a token. Use this token value for next step.
Complete userRegistration- https://{mycompany}.attasksandbox.com/attask/api/v5.0/user/12345?action=completeUserRegistration&updates={"firstName":"Test","lastName":"API","token":"0--ab","title":"testUser","newPassword":"Password01"}&method=put&apiKey=dqy---3
That completes all the process. Now check in workfront UI.
I got one question. I am going to use RESTfull web service in my mobile app(which is based on C#, monotouch). I have to send big data using either json or xml. Can I make sure that in case connection is lost I want to stop pulling data and cancel rest of the data which has been pulled.
Basically. my target is that I don't want to pull partially. I need whole data without loosing it.
Any other idea how can I achieve this?
Just wanted to ask another question. How can I secure my url which refer to data. If I use RESTfull webservice
If you use NSURLConnection as follows
NSURLConnection *theConnection=[[NSURLConnection alloc] initWithRequest:[NSMutableURLRequest requestWithURL:[NSURL URLWithString:#"http://www.google.com"]] delegate:self];
Then, you can use the following two delegate methods to check if the data downloaded fully.
-(void)connection:(NSURLConnection *)connection didFailWithError:(NSError *)error {
//Download failed
}
-(void)connectionDidFinishLoading:(NSURLConnection *)connection {
//Download success
}
i am new to servlets. I made a simple hello world programme that prints those famous 2 words to the screen when i access the page via a browser using http://localhost:8080/mypath/path...
My question is now, how do i provide a servlet with information? Specifically considering the fact that my c# programme calculates a lookup value for a global system, then the "java" servlet processes that and returns a set of results.
I have done the reverse thanks to help on here, regarding calling a returned string from the java servlet in c#. However i am not sure how i go about providing the servlet information. Do i pass it via the url?
Thank you
If you mean that you wish to pass information to servlet you can do it:
using request parameters (for example url arguments if you use GET method)
by parsing request URL (see HttpServletRequest.getRequestURL() and getRequestURI())
by examining the HTTP headers and cookies (see HttpServletRequest.getHeaders() )
If you are asking about sending information from servlet back to client you can write it into output stream got from HttpServletResponse.
I am developing an application in which I am displaying products in a grid. In the grid there is a column which have a disable/enable icon and on click of that icon I am firing a request through AJAX to my page manageProduct.aspx for enabling/disabling that particular product.
In my ajax request I am passing productID as parameter, so the final ajax query is as
http://example.com/manageProduct.aspx?id=234
Now, if someone (professional hacker or web developer) can get this URL (which is easy to get from my javascript files), then he can make a script which will run as a loop and will disable all my products.
So, I want to know that is there any mechanism, technique or method using which if someone tries to execute that page directly then, it will return an error (a proper message "You're not authorized or something") else if the page is executed from the desired page, like where I am displaying product list, then it will ecxecute properly.
Basically I wnat to secure my AJAX requests, so taht no one can directly execute them.
In PHP:
In php my colleague secure this PHP pages by checking the refrer of the page. as below:
$back_link = $_SERVER['HTTP_REFERER'];
if ($back_link =='')
{
echo 'You are not authorized to execute this page';
}
else
{
//coding
}
Please tell me how to the same or any other different but secure techique in ASP.NET (C#), I am using jQUERY in my app for making ajax requests.
Thanks
Forget about using the referer - it is trivial to forge. There is no way to reliably tell if a request is being made directly or as a response to something else.
If you want to stop unauthorised people from having an effect on the system by requesting a URL, then you need something smarter then that to determine their authorisation level (probably a password system implemented with HTTP Basic Auth or Cookies).
Whatever you do, don't rely on http headers like 'HTTP_REFERER', as they can be easily spoofed.
You need to check in your service that your user is logged in. Writing a good secure login system isn't easy either but that is what you need to do, or use the built in "forms authentication".
Also, do not use sequential product id's, use uniqueidentifiers, you can still have an integer product id for display but for all other uses like the one you describe you will want to use the product uniqueidentifier/guid.