Howdy, Stranger!
Categories
- All Categories
- 73 General
- 73 Announcements
- 66.6K Microsoft Dynamics NAV
- 18.7K NAV Three Tier
- 38.4K NAV/Navision Classic Client
- 3.6K Navision Attain
- 2.4K Navision Financials
- 115 Navision DOS
- 854 Navision e-Commerce
- 1K NAV Tips & Tricks
- 772 NAV Dutch speaking only
- 615 NAV Courses, Exams & Certification
- 2K Microsoft Dynamics-Other
- 1.5K Dynamics AX
- 304 Dynamics CRM
- 109 Dynamics GP
- 10 Dynamics SL
- 1.5K Other
- 993 SQL General
- 384 SQL Performance
- 34 SQL Tips & Tricks
- 34 Design Patterns (General & Best Practices)
- Architectural Patterns
- 10 Design Patterns
- 5 Implementation Patterns
- 53 3rd Party Products, Services & Events
- 1.7K General
- 1.1K General Chat
- 1.6K Website
- 79 Testing
- 1.2K Download section
- 23 How Tos section
- 260 Feedback
- 12 NAV TechDays 2013 Sessions
- 13 NAV TechDays 2012 Sessions
security level - Connecting to Navision via web service
heveen
Member Posts: 20
Hello Guys
I have exposed Page and codeunit as web service.
I have able to connect to the web service through a .NET client as well as Php client.
Everything works fine...
But the problem comes at the security level.
My clients access the web service through http soap request.... a basic authentication process that navision web service provide.
My questions are:-
1. How much secure is this process?... is the username/password exposed as plain text on the internet?
2. How can i add a security layer before accessing the Navision? i mean what kind of security layer i can add to make my web services more secure.?
3. My company said that he do not want his client to has direct access to the Page web service..
My company think that the clients are accessing the database directly... :P
So, is it a good idea to create a proxy ( just like Freddy's blog)
I need more ideas on security...
Hope you will help me out..
Heveen
I have exposed Page and codeunit as web service.
I have able to connect to the web service through a .NET client as well as Php client.
Everything works fine...
But the problem comes at the security level.
My clients access the web service through http soap request.... a basic authentication process that navision web service provide.
My questions are:-
1. How much secure is this process?... is the username/password exposed as plain text on the internet?
2. How can i add a security layer before accessing the Navision? i mean what kind of security layer i can add to make my web services more secure.?
3. My company said that he do not want his client to has direct access to the Page web service..
My company think that the clients are accessing the database directly... :P
So, is it a good idea to create a proxy ( just like Freddy's blog)
I need more ideas on security...
Hope you will help me out..
Heveen
0
Comments
force all traffic to go to ssl in iis (there's an install package for this in iis)
then all traffic including passwords is encrypted.
YES, write a proxy external layer of webservices for your clients to consume.
use a membership provider like the one that comes with .net, the asp net user membership db. very easy to use and manipulate.
to answer your questions:
My questions are:-
1. How much secure is this process?... is the username/password exposed as plain text on the internet? [very secure if you use ssl. credentials and all traffic is encrypted via the ssl. install the iis7 package that forces ssl on port 443 (google for it)]
2. How can i add a security layer before accessing the Navision? i mean what kind of security layer i can add to make my web services more secure.?[again, the ssl is key. it encrypts everything. you can also require that webservices have username as string and password as string params - pass these to a validation function which checks the user's role and validates credentials.]
3. My company said that he do not want his client to has direct access to the Page web service..
My company think that the clients are accessing the database directly...
[to ensure this does not happen, only publish the webservices in a public folder which you use to call the core webservices. never expose the core services to the external world. just a bad practice.]
i have code for all of this if you need it.