MSDN Magazine - September 2008 - (Page 55) and the service layer can be further secured using firewalls, IPsec, certificates and whatever else you can think of. The AJAX service layer includes any service you would call directly from within an ASP.NET AJAX or Silverlight 2 application. It therefore consists of local, same-domain services you call via a direct URL (such as the WebClient class in Silverlight 2) or through a JavaScript proxy. If your user interface is based on a suite of thirdparty controls, any services you may bind to members of these controls (such as for paging or in-place editing purposes) should be secured as part of the AJAX service layer. Keep in mind, however, that implementing security comes at a cost. So if a particular service doesn’t really perform any operations that must be secured, you might want to leave it unprotected. This is an acceptable option and one that many Web sites employ. An autocompletion Web service, for example, has little to hide. Web sites that use autocompletion connect to a Web service to get a list of suggestions. This is a read-only operation that doesn’t modify any data on the server or reveal any trade secrets. Leaving it unsecured presents little risk. Of course, any time you allow an outsider to get into your system you are giving him a chance to exploit latent and unknown security holes. Getting calls from all sorts of clients is a necessity in AJAX, but recognizing levels of risk is a must. You can always place different services in different sub-domains. Figure 4 Full-Trust Code to Invoke void Button1_Click(object sender, EventArgs e) { string url = "http://contoso.com/services/service.asmx/GetCompletionList"; WebRequest request = WebRequest.Create(url); request.Method = "POST"; request.ContentType = "application/json"; Stream stmReq = request.GetRequestStream(); StreamWriter writer = new StreamWriter(stmReq); writer.Write(@"{""prefixText"":""Lon"",""count"":5}"); writer.Close(); WebResponse response = request.GetResponse(); Stream stmResp = response.GetResponseStream(); StreamReader reader = new StreamReader(stmResp); string text = reader.ReadToEnd(); reader.Close(); stmResp.Close(); } Built-in Protection for Service Calls ASP.NET Web services and WCF service endpoints automatically have the advantage of a built-in security barrier. By default, Implementing Security in the AJAX Service Layer WebMethods of an ASMX Web service cannot be invoked from To figure out ways to protect your AJAX service layer effectively, an HTTP GET call. In addition, a POST request works only if the you should look again at Figure 3. Two groups of users may call sercontent type is set to a particular string: application/json. This sim- vices in the AJAX service layer: legitimate users and outsiders. Legitiple mechanism stops calls made as part of a script injection attack. mate users connect through a regular Web front end, be it ASP.NET Once some malicious script is injected in a page, a URL can only AJAX or Silverlight 2. Outsiders reach the URL using any platform be invoked through a tag. A tag can also reach a they can—usually a custom full-trust application. cross-domain URL, but it must use an HTTP GET and cannot set To allow access to legitimate users and reject malicious ones, you headers or content type. At the same time, any downloaded script should identify a piece of information that only legitimate users code that attempts to execute within the JavaScript engine of the can easily provide. As Figure 5 shows, that special piece of inforlocal browser will be sandboxed and thus will not be able to reach mation is the authentication cookie. any URL— local or remote. By default, an ASP.NET AJAX or Presentation Silverlight client invokes a WCF service using an HTTP POST. To enable Authentication JavaScript Silverlight 2 Cookie an HTTP GET (and to modify the format of the URL) you have to configure JSON the service appropriately. The default content type in this case is also set to Authentication Cookie application/json. In light of this, is there still something to be worried about? You bet. Once the URL or static IP address of URL JSON a target service has been discovered, it AJAX Service Layer is relatively trivial for hackers to replay a call. The aforementioned barriers may prevent them from reaching the Figure 5 Legitimate Users Connect After Passing Through a Login Interface msdnmagazine.com September 2008 55 service using the browser—the browser always uses a GET—but there are other ways. What are they? Quite simply, they could sniff the browser-to-service communication. And once all details have been worked out, they could use a .NET smart client to prepare a call. Figure 4 shows a call to illustrate the point. The code uses the WebRequest and WebResponse classes in the System.Net namespace in a Windows Forms application to make a direct call. Because the application runs as full trust, no restrictions apply, and anybody who has the URL and call details can remotely invoke your service. http://msdnmagazine.com
Table of Contents Feed for the Digital Edition of MSDN Magazine - September 2008 MSDN Magazine - September 2008 Contents Toolbox CLR Inside Out Data Points Advanced Basics Office Space Cutting Edge Hierarchy ID New Features for Microsoft SQL Server 2008 Prism Data Services Advanced WPF Test Run Security Briefs Foundations { End Bracket } MSDN Magazine - September 2008 MSDN Magazine - September 2008 - (Page Intro) MSDN Magazine - September 2008 - Contents (Page Cover1) MSDN Magazine - September 2008 - Contents (Page Cover2) MSDN Magazine - September 2008 - Contents (Page 1) MSDN Magazine - September 2008 - Contents (Page 2) MSDN Magazine - September 2008 - Contents (Page 3) MSDN Magazine - September 2008 - Contents (Page 4) MSDN Magazine - September 2008 - Contents (Page 5) MSDN Magazine - September 2008 - Contents (Page 6) MSDN Magazine - September 2008 - Contents (Page 7) MSDN Magazine - September 2008 - Contents (Page 8) MSDN Magazine - September 2008 - Contents (Page 9) MSDN Magazine - September 2008 - Contents (Page 10) MSDN Magazine - September 2008 - Toolbox (Page 11) MSDN Magazine - September 2008 - Toolbox (Page 12) MSDN Magazine - September 2008 - Toolbox (Page 13) MSDN Magazine - September 2008 - Toolbox (Page 14) MSDN Magazine - September 2008 - Toolbox (Page 15) MSDN Magazine - September 2008 - Toolbox (Page 16) MSDN Magazine - September 2008 - Toolbox (Page 17) MSDN Magazine - September 2008 - Toolbox (Page 18) MSDN Magazine - September 2008 - CLR Inside Out (Page 19) MSDN Magazine - September 2008 - CLR Inside Out (Page 20) MSDN Magazine - September 2008 - CLR Inside Out (Page 21) MSDN Magazine - September 2008 - CLR Inside Out (Page 22) MSDN Magazine - September 2008 - CLR Inside Out (Page 23) MSDN Magazine - September 2008 - CLR Inside Out (Page 24) MSDN Magazine - September 2008 - CLR Inside Out (Page 25) MSDN Magazine - September 2008 - CLR Inside Out (Page 26) MSDN Magazine - September 2008 - Data Points (Page 27) MSDN Magazine - September 2008 - Data Points (Page 28) MSDN Magazine - September 2008 - Data Points (Page 29) MSDN Magazine - September 2008 - Data Points (Page 30) MSDN Magazine - September 2008 - Data Points (Page 31) MSDN Magazine - September 2008 - Data Points (Page 32) MSDN Magazine - September 2008 - Data Points (Page 33) MSDN Magazine - September 2008 - Data Points (Page 34) MSDN Magazine - September 2008 - Advanced Basics (Page 35) MSDN Magazine - September 2008 - Advanced Basics (Page 36) MSDN Magazine - September 2008 - Advanced Basics (Page 37) MSDN Magazine - September 2008 - Advanced Basics (Page 38) MSDN Magazine - September 2008 - Advanced Basics (Page 39) MSDN Magazine - September 2008 - Advanced Basics (Page 40) MSDN Magazine - September 2008 - Advanced Basics (Page 41) MSDN Magazine - September 2008 - Advanced Basics (Page 42) MSDN Magazine - September 2008 - Advanced Basics (Page 43) MSDN Magazine - September 2008 - Advanced Basics (Page 44) MSDN Magazine - September 2008 - Office Space (Page 45) MSDN Magazine - September 2008 - Office Space (Page 46) MSDN Magazine - September 2008 - Office Space (Page 47) MSDN Magazine - September 2008 - Office Space (Page 48) MSDN Magazine - September 2008 - Office Space (Page 49) MSDN Magazine - September 2008 - Office Space (Page 50) MSDN Magazine - September 2008 - Office Space (Page 51) MSDN Magazine - September 2008 - Office Space (Page 52) MSDN Magazine - September 2008 - Cutting Edge (Page 53) MSDN Magazine - September 2008 - Cutting Edge (Page 54) MSDN Magazine - September 2008 - Cutting Edge (Page 55) MSDN Magazine - September 2008 - Cutting Edge (Page 56) MSDN Magazine - September 2008 - Cutting Edge (Page 57) MSDN Magazine - September 2008 - New Features for Microsoft SQL Server 2008 (Page 58) MSDN Magazine - September 2008 - New Features for Microsoft SQL Server 2008 (Page 59) MSDN Magazine - September 2008 - New Features for Microsoft SQL Server 2008 (Page 60) MSDN Magazine - September 2008 - New Features for Microsoft SQL Server 2008 (Page 61) MSDN Magazine - September 2008 - New Features for Microsoft SQL Server 2008 (Page 62) MSDN Magazine - September 2008 - New Features for Microsoft SQL Server 2008 (Page 63) MSDN Magazine - September 2008 - New Features for Microsoft SQL Server 2008 (Page 64) MSDN Magazine - September 2008 - New Features for Microsoft SQL Server 2008 (Page 65) MSDN Magazine - September 2008 - New Features for Microsoft SQL Server 2008 (Page 66) MSDN Magazine - September 2008 - New Features for Microsoft SQL Server 2008 (Page 67) MSDN Magazine - September 2008 - New Features for Microsoft SQL Server 2008 (Page 68) MSDN Magazine - September 2008 - New Features for Microsoft SQL Server 2008 (Page 69) MSDN Magazine - September 2008 - Prism (Page 70) MSDN Magazine - September 2008 - Prism (Page 71) MSDN Magazine - September 2008 - Prism (Page 72) MSDN Magazine - September 2008 - Prism (Page 73) MSDN Magazine - September 2008 - Prism (Page 74) MSDN Magazine - September 2008 - Prism (Page 75) MSDN Magazine - September 2008 - Prism (Page 76) MSDN Magazine - September 2008 - Prism (Page 77) MSDN Magazine - September 2008 - Prism (Page 78) MSDN Magazine - September 2008 - Prism (Page 79) MSDN Magazine - September 2008 - Data Services (Page 80) MSDN Magazine - September 2008 - Data Services (Page 81) MSDN Magazine - September 2008 - Data Services (Page 82) MSDN Magazine - September 2008 - Data Services (Page 83) MSDN Magazine - September 2008 - Data Services (Page 84) MSDN Magazine - September 2008 - Data Services (Page 85) MSDN Magazine - September 2008 - Data Services (Page 86) MSDN Magazine - September 2008 - Advanced WPF (Page 87) MSDN Magazine - September 2008 - Advanced WPF (Page 88) MSDN Magazine - September 2008 - Advanced WPF (Page 89) MSDN Magazine - September 2008 - Advanced WPF (Page 90) MSDN Magazine - September 2008 - Advanced WPF (Page 91) MSDN Magazine - September 2008 - Advanced WPF (Page 92) MSDN Magazine - September 2008 - Advanced WPF (Page 93) MSDN Magazine - September 2008 - Advanced WPF (Page 94) MSDN Magazine - September 2008 - Advanced WPF (Page 95) MSDN Magazine - September 2008 - Advanced WPF (Page 96) MSDN Magazine - September 2008 - Test Run (Page 97) MSDN Magazine - September 2008 - Test Run (Page 98) MSDN Magazine - September 2008 - Test Run (Page 99) MSDN Magazine - September 2008 - Test Run (Page 100) MSDN Magazine - September 2008 - Test Run (Page 101) MSDN Magazine - September 2008 - Test Run (Page 102) MSDN Magazine - September 2008 - Test Run (Page 103) MSDN Magazine - September 2008 - Test Run (Page 104) MSDN Magazine - September 2008 - Security Briefs (Page 105) MSDN Magazine - September 2008 - Security Briefs (Page 106) MSDN Magazine - September 2008 - Security Briefs (Page 107) MSDN Magazine - September 2008 - Security Briefs (Page 108) MSDN Magazine - September 2008 - Security Briefs (Page 109) MSDN Magazine - September 2008 - Security Briefs (Page 110) MSDN Magazine - September 2008 - Security Briefs (Page 111) MSDN Magazine - September 2008 - Security Briefs (Page 112) MSDN Magazine - September 2008 - Foundations (Page 113) MSDN Magazine - September 2008 - Foundations (Page 114) MSDN Magazine - September 2008 - Foundations (Page 115) MSDN Magazine - September 2008 - Foundations (Page 116) MSDN Magazine - September 2008 - Foundations (Page 117) MSDN Magazine - September 2008 - Foundations (Page 118) MSDN Magazine - September 2008 - Foundations (Page 119) MSDN Magazine - September 2008 - { End Bracket } (Page 120) MSDN Magazine - September 2008 - { End Bracket } (Page Cover3) MSDN Magazine - September 2008 - { End Bracket } (Page Cover4)
For optimal viewing of this digital publication, please enable JavaScript and then refresh the page. If you would like to try to load the digital publication without using Flash Player detection, please click here.