Ask a Question related to ASP.NET Web Services, Design and Development.
-
Mike P #1
Enabling HTTP Post to invoke web services
I am calling a .Net web service from a traditional ASP page. I am using the
ServerXMLHttp object. For example:
sWebSvcUrl = "http://.....asmx"
Set oSXH = Server.CreateObject("MSXML2.ServerXMLHTTP.4.0")
oSXH.open "POST", sWebSvcUrl, False,"userid","password"
' Indicate that the body of the request contains form data
oSXH.setRequestHeader "Content-Type", "application/x-www-form-urlencoded"
sParam = "xmlString=" & sXML
Call oSXH.send(sParam)
Since HTTP Posts and HTTP Gets are disabled by default in the .Net Framework
1.1, I added these lines to the web.config file to enable them.
<webServices>
<protocols>
<add name="HttpGet"/>
<add name="HttpPost"/>
</protocols>
</webServices>
This article explains what this is about:
[url]http://support.microsoft.com/default.aspx?scid=kb;en-us;819267[/url]
The issue is, I am getting some resistance from our web operations folks
about enabling HTTP Posts and HTTP Gets and pushing this code to production.
Some feel that I should not be invoking web services this way because
Microsoft disabled them by default. They say, what if this goes to
production and, in the next version of the .NET Framework, Microsoft disables
HTTP Posts with no overrides. And also, some are concerned about the
security reasons that caused Microsoft to disable HTTP Posts and HTTP Gets.
My question is.... Does anyone see any issues with what I am trying to do?
I tried to use the Soap Toolkit, but since the authentication mode for the
web services I need to call is set to Windows Authentication, I can't get it
to work without some work around.
I also want to point out that the traditional ASP webs that I am calling
these .Net web services from will probably be converted to ASP.NET sometime
next year.
Thanks in advance for your comments,
--
Mike P
Mike P Guest
-
Enabling HTTP 1.1 compression
Hi All, Has anyone tried to use HTTP 1.1 compression with Web services? We've set up our IIS 6 box to use HTTP 1.1 compression as described by... -
HTTP POST ASP .NET
Could someone PLEASE explain how do I use HTTP POST in ASP .NET to get an xml string from a server that exposes a web service? My IIS server will... -
No HTTP Post/Get show in Web Services WSDL.
Hello all - Bear with me during this explanation as I have run myself ragged trying to figure this one out. When I compile my web service that... -
HTML post from PDF form won't invoke security
I have a PDF form that I created from Adobe Acrobat 5.0 in a Windows environment. I want to use this form from a Web site. My Submit button has the... -
doing an http post
For the benefit of others, I want to show how to do an HTTP POST request using fsockopen(). I banged my head against a wall for two days trying to... -
[MSFT] #2 RE: Enabling HTTP Post to invoke web services
Hello Mike,
Yes, it is recommended to disable httpget and httppost for security issues.
You may refer to this article for details:
[url]http://www.xent.com/pipermail/fork/2002-March/009999.html[/url]
Based on my experience, Soap Toolkit can work with windows authenticated
web service. You need to have your ASP application run under a domain
account with enough permission. Anyway, I think the best solution is to
migrate to ASP.NET.
Luke
[MSFT] Guest
-
Mike P #3 RE: Enabling HTTP Post to invoke web services
Thanks for your response Luke.
We will be migrating this application to ASP.NET sometime next year. In the
meantime, we have new third-party applications that this web needs to
communicate with.
Would the fact that the web service's authentication mode is set to Windows
Authentication mitigate the security concern? So to use the web service, I
have to pass in the network credentials in the open method of the
ServerXMLHTTP object. For example,
Set oSXH = Server.CreateObject("MSXML2.ServerXMLHTTP.4.0")
oSXH.open "POST", sWebSvcUrl, False,"WebSvcUser","password"
On our network, we have to authenticate whenever we get redirected to
another server. For example, if I leave out the username and password
parameters, I get an error.
I am using a POST, so I could disabled HTTP GET, and accoding to the article
you reference, "the case for HTTP-POST is a little more complex".
The examples in the article would not be successful because on the POST to
the web service, there will be a challenge before the web service will
execute. Am I wrong?
--
Mike
"[MSFT]" wrote:
> Hello Mike,
>
> Yes, it is recommended to disable httpget and httppost for security issues.
> You may refer to this article for details:
>
> [url]http://www.xent.com/pipermail/fork/2002-March/009999.html[/url]
>
> Based on my experience, Soap Toolkit can work with windows authenticated
> web service. You need to have your ASP application run under a domain
> account with enough permission. Anyway, I think the best solution is to
> migrate to ASP.NET.
>
> Luke
>
>Mike P Guest
-
[MSFT] #4 RE: Enabling HTTP Post to invoke web services
Hi Mike,
The parameters UserName and Password of Open method is optional. When they
were not set, it will use current user's credetial . There is still some
risk here. Therefore, I think it still less of good reason to persuade your
operations folks since Http-Post and Http_Get are known as not safe. why
not soap toolkit? It is recommended for an ASP or VB 6.0 application.
Luke
[MSFT] Guest
Reply With QuoteSimilar Questions and Discussions
Posting Permissions
- You may not post new threads
- You may post replies
- You may not post attachments
- You may not edit your posts
