1

In my Sencha touch app. i use .net websevice to get data in xml format. I call it using Ext.Ajaxrequest as bellow

var frmurl ='http://Server/sencha/WS/web.asmx/GetData';
Ext.Ajax.request({
     url: frmurl,
     method: 'post',
     params: {
                       whereCondition :WhereCond,
                       ReportName:rptname
         },                                 
    success: function(Response) {
                 renderReport(Response.responseText,'1');
    }
    , failure: function (Response, request)
    {
       Ext.MessageBox.alert('Error, unable to load data');
    } //</failure>

});

Its working fine and giving me correct result but i need to add below tag in web.config to make it working

<webServices>
  <protocols>
    <add name="HttpGet"/>
    <add name="HttpPost"/>
  </protocols>
</webServices>

But due to this anyone can invoke webmethods which is major security issue. if i remove this tags then unable to call webservice and gives internal server error.

Please help me. thanks

Sagar Modi
  • 770
  • 2
  • 7
  • 29
  • You've not mentioned what authentication methods (if any) you've implemented. If you're not using anything to secure the WS end point, then by definition it'll be able to be called by anyone who knows the URI. – Tr1stan May 11 '12 at 09:19
  • anyone can called Ws only when HTTP GET and HTTP POST are both enabled in web.config. Because By default HTTP GET and HTTP POST are both disabled and hence on remote computer invoke button wouldn't be there. my problem is that i need to enable this in my web.config which i don't want to do – Sagar Modi May 11 '12 at 09:38

1 Answers1

1

What you're finding is that you need to enable at least one "protocol" in order for a client system to communicate with your Web Service, so you could enable HttpSoap if your client device supported SOAP or enable HttpPostLocalhost if your client and server were always on the same machine (which yours won't be as your clearly building a mobile site).

However, what you've also discovered is that Web Services by their very definition can be accessible by anyone when they are published, unless you setup some kind of authentication, or restrict access to the Web Service by some other means, like restricting by IP address etc.

You might not know it yet, but this question/answer is similar to yours and should help you come to a fairly standard way of achieving what you're after.

Community
  • 1
  • 1
Tr1stan
  • 2,755
  • 1
  • 26
  • 45