I've got several Visual FoxPro 9 + MS SOAP Toolkit web services in production, and now some folks within the company I work for have become concerned about unauthorized third parties gaining access to those web services to use them for their own purposes. So basically I need a way to secure my existing web services. Can anyone provide some guidance for me on how to do this? I would prefer not to add an API key or password as a parameter for every service call, if possible.
Thanks,
Jon
Unfortunately that's what you have to do with SOAP services... No other way for your application to pick up authentication.
The typical way to do this for services is to have a login API that returns an auth token that you pass with each request.
+++ Rick ---
Hello,
I've got several Visual FoxPro 9 + MS SOAP Toolkit web services in production, and now some folks within the company I work for have become concerned about unauthorized third parties gaining access to those web services to use them for their own purposes. So basically I need a way to secure my existing web services. Can anyone provide some guidance for me on how to do this? I would prefer not to add an API key or password as a parameter for every service call, if possible.
Thanks,
Jon
West Wind Technologies
Making waves on the Web
from Hood River
Thanks,
Jon
Unfortunately that's what you have to do with SOAP services... No other way for your application to pick up authentication.
The typical way to do this for services is to have a login API that returns an auth token that you pass with each request.
+++ Rick ---
In basic authentication, a user is required to provide username and password. IIS authorizes access to the XML web service if the credentials (username and password) provided match a valid user account.
Basic authentication is not secure. It requires users to provide username and password information, and the information is transmitted using simple base64-encoded text that can be easily decoded. But basic authentication along with SSL (as described in the Securing Service by Enabling Connections Through SSL topic) is secure because SSL layer encrypts the data being sent over the connection. Basic authentication is recommended if you want your service to be secure and highly interoperable.
Thanks,
Jon
Ah yes SOAP - such a pain in the ass it turned out to be in the end compared to plain old REST service solutions that we build today, huh? ;-)
+++ Rick ---
Anything wrong with using Basic Authentication in IIS, if SSL is turned on? I was reading the MS Soap Toolkit help topic "Securing Web Service Using Various Authentication Methods" and found the following:
In basic authentication, a user is required to provide username and password. IIS authorizes access to the XML web service if the credentials (username and password) provided match a valid user account.
Basic authentication is not secure. It requires users to provide username and password information, and the information is transmitted using simple base64-encoded text that can be easily decoded. But basic authentication along with SSL (as described in the Securing Service by Enabling Connections Through SSL topic) is secure because SSL layer encrypts the data being sent over the connection. Basic authentication is recommended if you want your service to be secure and highly interoperable.
Thanks,
Jon
West Wind Technologies
Making waves on the Web
from Maui
I know this is an older thread, but I recently had to revisit this topic and found a way to access the SOAP header (on the server side) from my VFP/SOAP Toolkit web service by creating a custom header handler:
https://www.levelextreme.com/ShowHeaderArticleOneItem.aspx?ID=39203
I had to make a couple of slight changes due to differences between the last version of the SOAP Toolkit 3.0 and version 2.0, which was used in the article. I thought I would post this here in case anyone else out there needs to do something similar, since it was such a struggle for me to find this information.
Sure post it here if you like. It'll be easier to find here than anything on the UT via search engine 😃
There are still lots of people asking about the SOAP Toolkit, but seriously I would not recommend using that for anything at this point. Even v3 was hopelessly out of date with SOAP spec issues and even without those it's always been such a pain in the ass to use it especially if you have complex types you need to pick up (which these days dealing with SOAP is just about ANY service).
Personally, I would recommend to go the .NET route, create a .NET Proxy and call that proxy from Foxpro. That way you have a current and up to date SOAP client and a real structure that can deal with deep object graphs as well as all the SOAP add-ons like headers relatively easily. The .NET client is the only actively developed SOAP client left for Win32 apps that I know of.
Take a look here:
Creating and Consuming SOAP FoxPro Web Services
Check the second part of the article that talks about creating a .NET Proxy and consuming it in FoxPro.
And there's also the West Wind Web Service Proxy Generator which basically abstracts that process so you don't have to .NET to set up the the proxy.
West Wind Web Service Proxy Generator
Hope this helps,
+++ Rick ---
Hi Rick,
Yeah, I never use the SOAP Toolkit as a SOAP client for calling web services anymore, but I still have VFP/SOAP Toolkit web services deployed and out in the wild for many of my customers, and unfortunately they are complex enough that rewriting them or swapping out the SOAP Toolkit for .Net doesn't make much sense when they still work just fine. In this case, I just needed to be able to intercept and use the SOAP header on the server side from my VFP code, and this did the trick.
Jon