I had an email today from someone asking this question. They have a web service and a client app that use WSE2 to encrypt, sign and otherwise secure their data.
However, they were able to open up the asmx file, the operation and look at raw xml data in a web browser over the web. No authentication, no encryption, no signing. I could see it, too!
What a nightmare after all of the work to secure this data.
The reason for this problem was another case of debugging tools getting deployed to the production web server. Something I tend to rant about occasionally.
In order to browse from their development machine to the web service on a remote web server, they had added
and left them in the web.config when it was deployed to the server.
I was able to guess this pretty quickly since I once learned this the hard way, too. Sadly most of our best lessons are the ones that leave bruises.
See my speaking schedule for more events
User Group Leader
Hosted by:
Powered by: newtelligence dasBlog 2.0.7226.0
Disclaimer The opinions expressed herein are my own personal opinions and do not represent my employer's view in any way.
© Copyright 2008, Julie Lerman
E-mail
E-mail