Web Development with Visual FoxPro
Authentication for VFP Web Service?
Gravatar is a globally recognized avatar based on your email address. Authentication for VFP Web Service?
  Jon
  All
  May 11, 2015 @ 10:42am
Hello,

I've got several Visual FoxPro 9 + MS SOAP Toolkit web services in production, and now some folks within the company I work for have become concerned about unauthorized third parties gaining access to those web services to use them for their own purposes. So basically I need a way to secure my existing web services. Can anyone provide some guidance for me on how to do this? I would prefer not to add an API key or password as a parameter for every service call, if possible.

Thanks,

Jon

Gravatar is a globally recognized avatar based on your email address. Re: Authentication for VFP Web Service?
  Rick Strahl
  Jon
  May 11, 2015 @ 12:46pm

Unfortunately that's what you have to do with SOAP services... No other way for your application to pick up authentication.

The typical way to do this for services is to have a login API that returns an auth token that you pass with each request.

+++ Rick ---


Hello,

I've got several Visual FoxPro 9 + MS SOAP Toolkit web services in production, and now some folks within the company I work for have become concerned about unauthorized third parties gaining access to those web services to use them for their own purposes. So basically I need a way to secure my existing web services. Can anyone provide some guidance for me on how to do this? I would prefer not to add an API key or password as a parameter for every service call, if possible.

Thanks,

Jon


Rick Strahl
West Wind Technologies

Making waves on the Web
from Hood River

Gravatar is a globally recognized avatar based on your email address. Re: Authentication for VFP Web Service?
  Jon
  Rick Strahl
  May 12, 2015 @ 03:37am
Is there any way to include the token in the SOAP header, rather than making it another parameter that has to be passed with each request? Will the SOAP Toolkit let me do that?

Thanks,

Jon


Unfortunately that's what you have to do with SOAP services... No other way for your application to pick up authentication.

The typical way to do this for services is to have a login API that returns an auth token that you pass with each request.

+++ Rick ---

Gravatar is a globally recognized avatar based on your email address. Re: Authentication for VFP Web Service?
  Jon
  Rick Strahl
  May 12, 2015 @ 05:46am
Anything wrong with using Basic Authentication in IIS, if SSL is turned on? I was reading the MS Soap Toolkit help topic "Securing Web Service Using Various Authentication Methods" and found the following:


In basic authentication, a user is required to provide username and password. IIS authorizes access to the XML web service if the credentials (username and password) provided match a valid user account.

Basic authentication is not secure. It requires users to provide username and password information, and the information is transmitted using simple base64-encoded text that can be easily decoded. But basic authentication along with SSL (as described in the Securing Service by Enabling Connections Through SSL topic) is secure because SSL layer encrypts the data being sent over the connection. Basic authentication is recommended if you want your service to be secure and highly interoperable.

Thanks,

Jon

Gravatar is a globally recognized avatar based on your email address. Re: Authentication for VFP Web Service?
  Rick Strahl
  Jon
  May 12, 2015 @ 10:45am
Yes basic auth would work but you still have to send the data from the client to do the authentication and you have to be able to read that on the server. Depending on how you implemented your SOAP backend that may or may not be easy to do if you actually need to get the authentication information because it's not an HTTP endpoint.

Ah yes SOAP - such a pain in the ass it turned out to be in the end compared to plain old REST service solutions that we build today, huh? ;-)

+++ Rick ---


Anything wrong with using Basic Authentication in IIS, if SSL is turned on? I was reading the MS Soap Toolkit help topic "Securing Web Service Using Various Authentication Methods" and found the following:


In basic authentication, a user is required to provide username and password. IIS authorizes access to the XML web service if the credentials (username and password) provided match a valid user account.

Basic authentication is not secure. It requires users to provide username and password information, and the information is transmitted using simple base64-encoded text that can be easily decoded. But basic authentication along with SSL (as described in the Securing Service by Enabling Connections Through SSL topic) is secure because SSL layer encrypts the data being sent over the connection. Basic authentication is recommended if you want your service to be secure and highly interoperable.

Thanks,

Jon



Rick Strahl
West Wind Technologies

Making waves on the Web
from Maui

Gravatar is a globally recognized avatar based on your email address. Re: Authentication for VFP Web Service?
  Jon
  Jon
  Feb 14, 2019 @ 10:57am

I know this is an older thread, but I recently had to revisit this topic and found a way to access the SOAP header (on the server side) from my VFP/SOAP Toolkit web service by creating a custom header handler:

https://www.levelextreme.com/ShowHeaderArticleOneItem.aspx?ID=39203

I had to make a couple of slight changes due to differences between the last version of the SOAP Toolkit 3.0 and version 2.0, which was used in the article. I thought I would post this here in case anyone else out there needs to do something similar, since it was such a struggle for me to find this information.

Gravatar is a globally recognized avatar based on your email address. Re: Authentication for VFP Web Service?
  Rick Strahl
  Jon
  Feb 14, 2019 @ 11:50am

Sure post it here if you like. It'll be easier to find here than anything on the UT via search engine 😃

There are still lots of people asking about the SOAP Toolkit, but seriously I would not recommend using that for anything at this point. Even v3 was hopelessly out of date with SOAP spec issues and even without those it's always been such a pain in the ass to use it especially if you have complex types you need to pick up (which these days dealing with SOAP is just about ANY service).

Personally, I would recommend to go the .NET route, create a .NET Proxy and call that proxy from Foxpro. That way you have a current and up to date SOAP client and a real structure that can deal with deep object graphs as well as all the SOAP add-ons like headers relatively easily. The .NET client is the only actively developed SOAP client left for Win32 apps that I know of.

Take a look here:

Creating and Consuming SOAP FoxPro Web Services

Check the second part of the article that talks about creating a .NET Proxy and consuming it in FoxPro.

And there's also the West Wind Web Service Proxy Generator which basically abstracts that process so you don't have to .NET to set up the the proxy.

West Wind Web Service Proxy Generator

Hope this helps,

+++ Rick ---

Gravatar is a globally recognized avatar based on your email address. Re: Authentication for VFP Web Service?
  Jon
  Rick Strahl
  Feb 14, 2019 @ 12:23pm

Hi Rick,

Yeah, I never use the SOAP Toolkit as a SOAP client for calling web services anymore, but I still have VFP/SOAP Toolkit web services deployed and out in the wild for many of my customers, and unfortunately they are complex enough that rewriting them or swapping out the SOAP Toolkit for .Net doesn't make much sense when they still work just fine. In this case, I just needed to be able to intercept and use the SOAP header on the server side from my VFP code, and this did the trick.

Jon

© 1996-2019