.NET Tutorials, Forums, Interview Questions And Answers
Welcome :Guest
Sign In
Win Surprise Gifts!!!

Top 5 Contributors of the Month
david stephan
Gaurav Pal
Post New Web Links

public web methods...how to make private? Security question

Posted By:      Posted Date: September 19, 2010    Points: 0   Category :WCF

I understand how to set security for a ASP.NET web page, how to encrypt a Silverlight page, and a WCF application, but my question goes to this:  given a web method, which by definition must be public, how do you keep people from accessing it outside of your client program?

If your program (client) is the only way to access this web method, then there's no problem.  But it is impossible to make a web method private--it won't compile--so how to keep people from using it?  The only thing I can think of is that if you call your web method by an obscure sounding name, it's likely nobody will guess the URL, and if you set your server so it cannot be searched (dir *.*) by the public, it's unlikely anybody will ever guess the name of the web method.  But this is hardly 100% secure.  And what if you call your web method "DoWork", which is the default OperationContract name in Visual Studio?

What am I missing?



//what I have in mind

public interface IService1
        string DoWork();


public string DoWork()
//secret stuff in here
string SecretStuff = "S

View Complete Post

More Related Resource Links

Matching C# methods with a pattern finding the Public, Private, etc modifiers and balancing the curl


Hello all,

For a large conversion project, we need to match certain key words within C# methods and remove the entire method if found. I know .Net has a feature that allows balanced matching on the curly braces, but I am not sure how to implement it.

In a two step process, you could match the modifiers Public, Private, etc and their balanced curly braces to identify the methods and then remove those that contained the key words. In a one step process, I think you could use a positive lookahead for the key words as well.

Could someone help me with the pattern that has the balanced curly brace logic with the modifiers to identify the methods? Thanks in advance for any ideas and/or suggestions.


Have a great day!

Security Question Answer Retrieval


I know there is a method built in for retrieving the encrypted password, but how do I retrieve the encrypted security answer?

What I want to do is have a member profile update screen that the end user can update their password and security question and answer. However, when they get to this page, I want to already be showing the security question (the easy part) and its answer (the not so easy part).

I have updated web.config with passwordFormat=Encrypted and have added a machineKey with the generator (forgot the link, but located on eggheadcafe somewhere).

I haven't done ANYTHING yet, since I already have a user store with hashed information. I wanted to get some functionality done before publishing, wiping the store and recreating users (only a couple developers).


WS-Security: New Technologies Help You Make Your Web Services More Secure


Without good security, Web Services will never reach their potential. WS-Security and its associated technologies, the focus of this article, represent the future of security for Web Services. Provided here is an overview of these emerging security standards that explains what they do, how they work, and how they get along together. Topics discussed include integrity and confidentiality and how these are provided by public key cryptography, WS-Security, and more. Some of the key components of WS-Security, such as the wsu namespace, are also covered.

David Chappell

MSDN Magazine April 2003

Security: Protect Private Data with the Cryptography Namespaces of the .NET Framework


The .NET Framework includes a set of cryptographic services that extend the services provided by Windows through the Crypto API. In this article, the author explores the System.Security.Cryptography namespace and the programming model used to apply cryptographic transformations. He discusses reasons why cryptography is easier in .NET than it was before, including the easy programmatic acccess developers have to the cryptography APIs and the difference between symmetric and asymmetric algorithms. Along the way, a brief discussion of the most widely used algorithms, including RSA, DSA, Rijndael, SHA, and other hash algorithms, is provided.

Dan Fox

MSDN Magazine June 2002

.NET Web Services: Web Methods Make it Easy to Publish Your App's Interface over the Internet


Web Services are a great way to accept and manage contributions to a public clip art library, digital music catalog, or corporate knowledge base. Since the SOAP interface to a Web method operates over HTTP, contributors can easily publish content any time, from anywhere across the Internet. However, accepting binary content and managing content metadata through SOAP over HTTP presents Web Service developers with some interesting design decisions. This article discusses three ways to enable content publishing using Web methods.

Paula Paul

MSDN Magazine March 2002

Certificate API question - Private Key.

I am trying to follow http://msdn.microsoft.com/en-us/library/system.security.cryptography.x509certificates.x509certificate2.aspx but I am finding that the Private Key property of the certificate is always null. I created the certificate with makecert -pe -n "CN=BuySeasonsThirdParty" -r -b 08/26/2010 -e 08/26/2011 -sky exchange Amazon.cer. Then installing it on the local user store using: X509Store store = new X509Store(storeName, StoreLocation.CurrentUser); and using the same API to get the certificate from the store. The certificate that I retrieve from the store is non-null it is just the PrivateKey is null. So I can encrypt using something like: ((RSACryptoServiceProvider)cert.PublicKey.Key).Encrypt(Encoding.Unicode.GetBytes(text), true)   But since the Private Key property is NULL I cannot decrypt. Any ideas? Kevin

Private Security Model Integration

Does anyone have any recommendations on tieing the Microsoft AS security model in with an independent security model. We are at the beginning process to discuss this with a very large international partner and are looking for recommendations form anyone who has done this before. Thanks in advance Alan

Question about URL security

Hi I'm creating a website where I want people not to be able to create link to certain pages. The site work like this: The user do a serch for a document and click the link to view it, then he can view the document. If the user somehow adds the URL to favorites he should not be able to view the document when he at some time later tries to view the document. In addition if the user sends the URL to other people they should not be able to view the document. Any suggestions how to implement this?  

Public Variable Creation Question

Hello, I was wondering if there is a way to declare a variable that can be used throughout a page, rather than just in a sub, er private class.  I'm in a situation where I can use session("variable") to set a session variable, but in order to access that I have to trigger a postback. 

Cannot access public methods on MasterPage

Hi All, maybe someone can help me with this one. I have a a public method in my code behind on the site.master pagenamespace PROJECT { public partial class Site : System.Web.UI.MasterPage { protected void Page_Load(object sender, EventArgs e) { } public void applyUserRole(string userID) { } } } I  wish to call applyUserRole() from Default.aspx On Default.aspx I have .. <%@ Page Language="C#" MasterPageFile="Site.Master" AutoEventWireup="true" CodeFile="Default.aspx.cs" Inherits="_Default" Title="Project- Home" %> <%@ MasterType virtualPath="~/Site.master" %> But when I go to Default.aspx.cs and type Master. the method is not appearing. I've seen other post where people are having this issue but I can't find an answer. If anyone has any good pointer and you please let me know, thanks 

Question about RSA Decrypt using private key

Hello,      I am doing a project to communiate with a bank. I send a message which was sign by my private key to the bank and get a response from the bank. The message like below: PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iR0JLIj8+CjxtZXNzYWdlIG1ldGhvZD0iZXJyb3IiIHR5cGU9InJlc3BvbnNlIj4KICAgIDxkYXRlPjIwMTAwNTI4PC9kYXRlPgogICAgPHRpbWU+MTEwMzQ1PC90aW1lPgogICAgPHJldENvZGU+QVVUSDBFSTwvcmV0Q29kZT4KICAgIDxjb21tZW50UmVzPuacquW8gOWNoTwvY29tbWVudFJlcz4KPC9tZXNzYWdlPgo= Then I try to decrypt the message. The code like below:        public static string ParsePayment(HttpRequest request)     {         string CertificatePW = "123456";         string prikey_path = HttpContext.Current.Server.MapPath("~/App_Data") + "\\certificate\\test.pfx";         return CerRSADecrypt(Convert.FromBase64String(aa), prikey_path, CertificatePW);          }         public static string CerRSADecrypt(byte[] DataToDecrypt, string prikey_path, string CertificatePW)     {                        &nbs

How to Import a Public/Private key pair into RSA Key Container

Hi,I am trying to build a RSA decryption application with .NET(windows application). I have had my public / private keys used in existing applications, and want to reuse them. The question is how I can import them into a RSA Key Container (used in RSACryptoServiceProvider), or is there any other way that can re-use these keys?Thank you in advance,Junbin

RSA Private/Public key

I have an web application that encrypts data using a public and sent it to another web application. Which will then decrypt the data using a the user private key.My question is, since but the Private and Public key are generated in the first application. how does the other application get the private?Thanks!

save reports in Private and Public folder using Report Builder 2.0




I have a report builder built on RB2.0. Users are able to create their reports and browse them.

Now, Users wants these reports to be saved in their Private folder and public folder.


Also, I have a UI developed in .Net 3.5 from where I am calling this report builder.  In the UI, I need to show the users those reports that they have created in a drop down list. And when the user clicks on any report (that they created should) open.


I have searched a lot but not getting any clue how to allow the business user to save a report

security question about dynamic data


apologies if this has been answered before.

it seems that the scaffolding that generates the list, edit, details apsx pages uses querystrings to pass the primary key for the relevant record. thus is i have a list.aspx showing me a grid of records, the edit hyperlink will be something like http://../tblTable/edit.aspx?ID=n where n is the key of the record to edit.

however, obviously this is not secure for a multi-user site as someone else with a valid login could potentially see records which they shouldnt simply by trying different "ID=n" values?

is there a way to change this behaviour in a Dynamic Data site or will i have to manually code to ensure a user only see records intended for them?

any help is gratefully appreciated



Using Sharepoint 2003 - Data Security Question

We need to limit visibility of data in a datasheet to users based on their ID, NOT on who created or loaded the data.  If this is possible, how do we accomplish this?

question about multi user website and security



i am developing a multi-user website using Dynamic Data and wondered if someone could answer the following or provide advice:

what is the best way of protecting data so someone (who has a login to the site) cannot see records intended ONLY to be viewable by another valid user?

as far as i can see a user can simply tamper with querystring or url values (if using routing) and bring up the details of records they should not.


any help qould be gratefully appreciated. i am drawing a blank so far and the easiest option may be to back to a traditional asp.net site where i can control things simply by use of a Session variable (UserID)



ASP.NetWindows Application  .NET Framework  C#  VB.Net  ADO.Net  
Sql Server  SharePoint  Silverlight  Others  All   

Hall of Fame    Twitter   Terms of Service    Privacy Policy    Contact Us    Archives   Tell A Friend