I've got a website which contains the profile of users. I am now working on a mobile app and I would like to access the profile details from via the app. My idea is to simply create a webservice which returns the relevant fields (some of which might be password protected). How can I ensure that the web service is being request only by my application and not by anything else (desktop, other app etc..)? Initial idea was to have a secret key embedded in the program which is used to encrypt the data sent over to the web service, but I'm not sure how difficult it would be for someone to find that key since it's on the client side app.
Any suggestions on what the best approach would be for this type of situation? (I assume the technique would be the same regardless of phone model)
Thanks
Microsoft now considers ASMX web services to be "legacy technology". All new development should be done using WCF.
WCF has many more abilities in terms of security than ASMX does.
Related
I would like to add a password protected page to my WPF modernUI application and could use some help with it.
First of all I don't really have a clue how to handle this stuff correctly in my case.
My application is used on several machines. The protected page should be some kind of admin-page to edit a database that is used by the app.
My idea is, that there is only one Admin-account. But this account can be used from any machine. The admin should be able to change his password. So there must be some kind of encrypted password file on the server which can be accessed from any machine. I don't want to store the password within the application, as this would mean that the admin has to change his password on every machine.
So my question is: What is the best/safest solution for my idea? I'm just looking for hints as I don't have a clue what to search for.
The best Practise nowadays for distributed client applications who share a Database is indeed not to have direct access to the Database.
What you need is a WebService. A web service can be anything. It just has to be hosted somewhere. It can be an ASP.NET application, a WCF Service, or even something not .NET related like a PHP or Java application.
The communication between your application and your WebService depends on what you decide to use. Today a lot of people are using so called REST APIs which use either XML or JSON as data transfer format and use the HTTP protocol.
Its not hard to implement such an API since there are ton of Libs and Solutions out there.
You could use RestSharp for the communication at your client side. Which is straight forward and simple. You could also consume a WCF Service. Which is hosted in IIS somewhere.
However your Problem is nothing special and there are several solutions available. The decision is on your side since it depends on a lot of things such budget, available infrastructe etc.
Your question is quite broad but as far as WPF is concerned you could implement custom authentication and authorization in your application by creating classes that derive from the IIdentity and IPrincipal interfaces and overriding the application thread’s default identity. Please refer to the following blog post for more information an an example.
Custom authorization in WPF: https://blog.magnusmontin.net/2013/03/24/custom-authorization-in-wpf/
The actual credentials should be stored on some remote server that may be accessed through a web service, WCF service or some other kind of API. The details of how to actually get the credentails would be implemented in the AuthenticationService class in the sample code from the above link.
My Google-foo is failing me here... most likely a terminology thing.
Basically, I'm making a desktop (and likely mobile) application that connects to a REST API that returns JSON. I've created a C# class library that handles the the data querying in my local project however this would expose my API key if I were to publish it.
I would like to know what are the appropriate options for simply running a small service in Azure that takes a web request, queries the API and passes the JSON response back. Something lightweight, decently scalable.
Is this something a web role or worker role is good for? Is this something I really should learn Node.js for?
I asked a similar question a few years back: Keeping a secret key secret with Amazon Web Services
One reasonable solution is to build a simple service that returns the headers and url to use when communicating with the authenticated service. Your API key remains secret because it only lives in your service, but the clients can leverage the API key by getting the encrypted request from your service and then making the request for the actual work.
I haven't personally looked into the Azure API App Service, but a brief browse of the main website suggests that it, too, may be relevant to your interests. :)
Check out Azure Mobile Apps. Azure Mobile Apps is a "backend as a service" platform. With Mobile Apps you can easily store information into a SQL Database and expose custom API methods. It is a great place to start and has SDKs for connecting iOS, Andriod, Xamarin, and HTML apps.
As for security, the Mobile service has options to protect the data from allow anonymous access to requiring each user to authenticate.
i need to build this architecture and i need some orientation on "how should i build". I've read many docs and examples but i can't find and figure how to do trying to be efficient and secure:
External app (android app, ios app) where users, after a login, can access to their personal info and manage the account (updating personal data, showing personal documents related to their account and much more). The username / pwd input must be done only 1 time.
A public wcf service will receive their actions and will call to a another internal wcf service. It will work like a 'bridge'.
The internal wcf service will get the request and do the operations needed (logical and db operations). This will return data to the external wcf service and this one to the client (obvious).
UserName/PWD are stored in a database.
WCF services can only be accessed with the correct credentials and are IIS hosted.
So i find many problems/questions:
I don't know HOW and WHERE should I build the AUTH (internal, external, both?). How can i manage a session between wcf services and app clients to avoid sending credentials every time?
The client app needs to send credentials every time? This means every service requires to SELECT the database for checking the username?
SOAP? Rest Services? It doesn't care? (on internal wcf, external wcf, both?).
I need work with asp.NET sessions or i really don't need? I don't see how services that needs username/pwd that are called frequently and repeatedly are efficient without old asp.net sessions.
Thanks for your help and orientation.
Regards!
If someone interested... seems Routing Service seems to fit for my design and can solve my problem after some tests i have done.
I am developing an android application to accommodate some desktop software that I created. I would like for the user of the mobile app to have to verify their identity through authentication. Basically the web service will have to act as a central hub to both authenticate and hold information that the android app will need. The way I think it should work is to
-Set up a central web service
-Allow user to create account from desktop client using email/password
-The desktop client will send the information to the webservice that the android app will need.
-when android app is authenticated it will then retrieve the data it needs that was posted from the client.
So basically the service will need to be able to send and receive data.
I will only be using .net (either C# or vb.net ) for the service, so this leads me to a couple of questions:
Should I be using WCF for this? If so should I create a WCF Service library or WCF Service application?
Should I be using the Sign Sign on service approach?
The web service doesn't need to be fancy it just needs to get the job done. Is their any boilerplate project templates or projects out their I could use to help build a foundation?
I recently discovered SudzC.com which generates classes and methods for Objective-C from the wsdl data of a .net web service, and I'm fairly sure it also does Android.
I have a huge catalog of fairly 'old' web services which pre-date WCF and they are currently working perfectly.
I should point out though that the SudzC service only shows you what it can do for you for free - to get the code you have to pay ~£20 for a one year pass.
We had something similar where I worked. We had to put together an Android app for the company. If you are on .net 4.0 or newer, you can take advantage of theWebApi. It can return json or xml. So, that means any platform can utilize it (desktiop, android, etc...). I found it extremely easy to use, with very little overhead.
we have a web service which will be used by the application to interact with the Server.
This service is a PHP based service. When we add this as a service reference in metro style app we aren’t able to do access any methods.
We tried the same URL in other application as a service reference and we were able to access the methods.
The service URL is http://sanity-free.org/services/ws.php?wsdl
Please let me know how can we access this method in our application.
Thanks
Mani
I'll describe you my case. I hope it helps.
I have a metro app that communicates with azure sql via asp webapi. The webapi is hosted in cloud and it is a connector for metro to my db.
It is very simillar to your case. Create public methods that are available from world. Than you need just to make sure that the data are returned in a good format (by your php service). I'm prefering json cause it is easy to code,decode ant it's lite (that is very important in a webapp).
I connect with my api this: http://domain.com/api/Content/get or http://domain.com/api/content/getbyname/my+name
With this urls I'll get whole content or content by title
This is not a 100% answer for your question but can solve it :)