I have coded some javascript to an AJAX call in an asp.net application. It is a method that says a URL, runs by sending some standards in the post.
The processed page data processes and updates our database.
We will provide this code for customers
Can anyone tell me what is the method to stop unauthorized access to this URL? Otherwise an unscrupulous developer could use this URL to add data to our database when they should not.
Thanks for any indication given.
The issue here is that I will have to provide the code to our customers and they will add it to their website. Therefore, by adding some lines of code to my site, doing nothing more complex is not an option.
However, the need to perform a sending of data from our server, somehow, safely?
Is this an impossible scenario or will I need to do some kind of auditing after processing?
Thank you all for some good suggestions.
You can use SOAP to pass the username / password with the request above the wire SSL should be used to encrypt the data going on. Here are some codes that we will use:
This is a class that will hold the credentials that are sent with this request:
Import System Web.Services.Protocols Public Class ServiceCredentials SoapHeader Personal _userName inherited string public property username () string as the return _userName termination set (byVal value as string) _userName = value end set end property private form String in Get the string return _password as the property password (go) Go termination _password go go set (byVal as value string) _password = value end set end property public sub (new) End Sub public sub NewUserInfo (ByVal ServiceUser string as , ByVal ServicePassword as string) Me.UserName = ServiceUser Me.Password = ServicePassword End Sub Add an attribute to the definition of your web service:
& Lt; WebMethod () & gt; _ & Lt; Sophader ("Credentials Header") & gt; _ Function MyWebMethod (Instrumental Parameters as String) 'Check permissions here If the permissions are valid (Credentials Header) then' OK! ....... If the 'end action function' and again, to check permissions, just a function (permissions valid in my example), a permission error is terminated Do:
'Function permissions Wallis' (Bevel certification as service credentials) Boolean check credentials Username and credentials Return password and a boolean termination function hereIt may look like a bunch of work, but in this way, when they send a request, you can do it against a database or you Check whoever you want. You can easily turn off one user name at the end.
An easy way to restrict the IP address, which is allowed to kill the service page but then you participate in problems with changing IP addresses etc.
BTW, in this post I was typed as much as I posted, so you may have to check the code to make sure that it is compiled :)
Comments
Post a Comment