I have built an ERP for a small company using MS-Access (front end) and SQL Server 2008 R2 as database. Now one of their clients is implementing "SAP Business one" and I am asked to provide a web service for that SAP to enquire our database for stock availability.
I don't really know where to start. I have seen there are native web services in SQL Server, but MS seems to discontinue that.
From what I have googled, I understand that REST is not appropriate, because we want the service to be restricted to identified clients, so we would have to go for SOA and WCF ?
Is that correct or stupid ?
I am looking for links / books, or very simple code samples (if that exists).
I have already found Good starting point for learning to create ASP.NET SOAP web services and https://stackoverflow.com/q/296040/78522.
Any suggestion welcome, thanks.
Edit: just for the info: I have found these 2 links quite usefull, specially the 1st one, which is really "quick and practical", ideal for a total newbie in the field.
on w3schools.com
on siteduzero.com (in French)
Windows Communication Foundation
Windows Communication Foundation Walkthrough
https://stackoverflow.com/questions/386801/wcf-book-recommendations
I understand that REST is not appropriate, because we want the service to be restricted to identified clients.
This is not correct. REST services can have security, and most of them that I'm aware of do. The common ways to do this are:
Use HTTP authentication (basic or digest). Most languages will already have libraries to handle this for you.
Define some other way of logging in. Some REST services accept a username and password and return a cookie. Some use OAuth. Twitter is a good example of this.
Don't use login at all, just validate that the client has some sort of token or password (probably sent as a cookie).
Use any other form of security that works over HTTP.
Related
I've been trying for a while to call an existing SOAP web service from InTouch Wonderware or MS SQL 2014. It doesn't matter which of the two calls it, as the Wonderware project reads/writes to the SQL Server database anyway.
My knowledge is mostly limited to Wonderware and its in-program options to access the SQL Server database, which doesn't work well with the usual guides on the web service topic.
The web service is provided by the customer, over a decade old and outsourced, which rules out any changes to it. The goal is to request raw material data from the web service by ID, and later returning the produced material data. The parameters of each function is documented, but the only existing URL requires username/password and directly shows the content of the WSDL file. That file (when saved locally) works on SoapUI, and test cases deliver the required results.
My problem is the first step - connecting to the web service and sending/receiving the messages. WebSVC (the InTouch web service client) cannot handle the basic authentification, even failing to connect when including username and password in the link (which works in any browser). Guides on that topic are often outdated, or don't match the problem at hand.
As my knowledge of databases and web programming is limited, how can I use the web service (in a preferably uncomplicated way)? Performance doesn't matter - the database handles less than 10 requests per minute on average, and delays don't disrupt anything essential.
To quote Jeroen Mostert's comment: "if you're on Windows, PowerShell's New-WebServiceProxy allows you to wire up SOAP services quite easily, and inserting things into SQL Server from it is equally simple (Invoke-Sqlcmd)."
This approach works. To sum up the steps until I got an answer from the web service:
Upgrade to PowerShell 5.1 (Win7 VM didn't have it)
Set up WebServiceProxy by microsoft guide
Add credentials, attributes and test method by external guide, solving the authentication issue and getting the required input format
We're developing a cloud based web application for customer management. One of the main goals i the capability to connect to different local applications on the customer endpoint.
As example, we don't want to have a customer database in out application, the customer should be able to search within his local ERP system right away.
What we need is not much. Only a client on the customers server with access to the local SQL server as well as the COM model.
But as webdevelopers and mainly going with PHP the question came up, what technology we should use?
I've got two approaches in mind:
NodeJS
Lightweight, Javascript and with the Express and winole32 extension we should have everything we need. But the deployment and installation as a service seems to be a bit wacky.
C# .Net Web API
Also a good approach I guess since the client servers are allways windows. But is there a way without IIS?
Or do you have something completely different in mind? It should be very fast and compact. So its basically just a RESTservice that can be deployed with ease.
Thanks for your inputs and thoughts.
C# .Net Web API Also a good approach I guess since the client servers are
allways windows. But is there a way without IIS
It is called OWIN and it is properly documented (web api self host is a good keyword) and works like a charm. Using that on various services to expose an API into the service.
Similar questions have been asked before, but this a one is a little different. I created a REST API to send an XML document with `POST. I send data from my (Windows) application to the servers, which includes: open time, operating system, version, etc.
I have one problem though. How can I make sure people can't use the REST API? How do I know that the information sent to the server is from an application and not from someone who knows the URL? How do analytic software companies solve this problem?
Thank you.
Update
I would like users to use my application without having to log in. I am pretty sure that companies that create apps that do not force you to log in are able to see whatever you are doing.
Well there are several way to secure your service.
You can always setup authentication & authorization for the service - this way the service will be available only to registered/known users.
Here are links few links for more details:
Best Practices for securing a REST API / web service
http://www.stormpath.com/blog/secure-your-rest-api-right-way
Also there are less sophisticated ways such as setting firewall rules to allow connections only from certain places -- I don't think it is a recommended approach.
I've created a angularjs app which uses php for handling the database queries and enforcing an authentication schema.
When the user logs in into the app, he does so in php and php fetches the user data into a session. Then angularjs issues a http post request to a php page to read the fetched data.
After that, whenever a user asks for data, angular issues a post to a php page.
I'm considering using a framework for doing the authentication and the database queries in a better way. My security knowledge is primitive and I fear that I have mistakes in my code.
After doing a research I found laravel which seems straightforward and easy.
Now my questions are:
Can a php framework such as laravel do these things for me?
Is there something else I could use to have people authenticate and making sure that they are doing the CRUD operations they are authorized to do?
What are the keywords I'm searching about, is it routing, is it php restful? I'm asking in order to do further research on the matter.
Is there any other way in which a SPA could work with CRUD operations and Authenticating in a "safe" manner using php?
I know that the above questions are not programming questions per se, but I don't know where to ask (because I feel I cannot communicate what I want to learn about/ *that's why the keywords question above).
Thank you
There's basically two kinds of relevant "routing" both based on URLs, either client side or server side. AngularJS has the $routeProvider which you can configure so when the location changes (handled by $location) the client side template and controller being used also change. On the server side you may have redirects or "routes" that map a URL to a particular PHP file (or Java method) where at the destination it parses the incoming URL to get extra information/parameters.
I know nothing about laravel, but googling laravel and authentication came back with this which looks promising:
http://bundles.laravel.com/category/authentication
I also know things like Zend framework provide many similar options for plugging in some authentication code.
Ultimately if you're writing the CRUD operations something in your code is going to have to do deal with the role based execution of code or access to data.
RESTful is it's own thing. At a very basic level a RESTful interface uses HTTP "verbs/vocuabulary" like PUT, POST, DELETE, GET (part of the request headers which is just data that comes before any body data in the request) are given special meaning like update an entry etc. It's mostly orthogonal to the issue of authentication though if you do true REST I'm not sure if using the SESSION for maintaining authentication would be allowed since it's not completely stateless in that case (anyhow just an academic argument). Point being you can use the other ideas of REST or use some implementation that is "RESTful" and it can be written in any language or you can choose not to do this, either way you still have the issue of controlling resources (functions/methods/data) that you want to control and this issue is not the same as choosing RESTful or not RESTful (if you wanted to keep true to REST for reasons of scalability across a cluster of servers etc. you could follow guidance here How do I authenticate user in REST web service?). Also to note here the $resource in AngularJS provides an abstraction above $http specifically for handling restful services.
IMHO you should be searching for two things
1 php security/authentication
2 php hacking/hacks/vulnerabilities
You can simply write your own authentication mechanism using a session to keep track of the signed in user. http://php.net/manual/en/features.sessions.php There is no difference in a SPA vs a traditional web app as far as the server is concerned, these are simply differences in the client side code.
Any security you intend on putting in place is really only as good as your understanding of that security. I wouldn't trust someone else's plugin from the internet to handle authentication for me unless time was an extremely critical factor and security not so much. One thing that you hadn't mentioned but I think is worth looking into and necessary for any of this to really be secure is SSL. If you don't have your data encrypted there is always a possibility of a man in the middle attack (someone getting the plaintext username and password as their submitted to the database) or session hijacking (someone getting the sessionid of an active session then using that to act as the original user). Basically I would suggest you keep doing research regarding best practices and personally look over any code you plan to use to be sure you understand how it's working and what kind of security it provides you with.
I also wanted to mention, though it's a bit off topic languages wise, that Java Spring has some really nice stuff for dealing with authentication and handling access to services and data. If security is a major concern I would probably strongly consider running a Java server (not to say Java has never had it's issues or that it's automatically more secure but there's a lot of production code that has withstood the test of time). There's the free Tomcat J2EE Server or IBM WebSphere if you need to massively distribute an application. If interested search for Java, Spring, Hibernate (ORM), MyBatis, Data Access Objects. Those are all the parts (some optional) I can think of you would need to put together a service layer in Java. Good intro in the video on the left of this page:
http://static.springsource.org/spring-security/site/index.html
Also SSL isn't a silver bullet, but every layer of security helps.
Kevin Mitnick said in one of his books that lots of places have "hard-shell candy security" (paraphrasing) where breaking the outer layer means you get to all the mushy goodness inside. Any direct answer I would bank will result in this type of security.
Depending on the scope of the project it might be necessary to have security professionals do penetration testing on the system to determine if there are vulnerabilities so they can be plugged.
I have a Silverlight application that needs to retrieve some data from my database. This data is sensitive. Because of this, I only want my Silverlight application to be able to access the data. How do I ensure that only my applications can access the services that expose this data? Is there a way that I can validate a client attempting to retrieve the data?
Thank you!
These might be of interest:
Using ASP.NET Secure Services and Applications Services
Build Line-Of-Business Enterprise Apps With Silverlight, Part 2
MS Whitepaper: Security Guidance for Writing and Deploying Silverlight Applications
Well, everything your SL application does could be spoofed. So direct answer is NO, you cannot ensure that only your application will access to the data.
But there are number of options. For example you can implement authorization and then authenticate your user. In this way you can ensure that only users you trust access to the data.
Another option is to make spoofing harder. For example you can include sort of "secrete" token to all your requests. So other application will need to steal this token. This harder to achieve.
I think this question is more pertaining into implementing a web service or wcf service with authentication and authorization. If your service takes care of it, then you can be ensured about your data. Your silvelight app is just calling the service.
Whoever download the xap can decompress and reverse engineer your code, so your best bet is to build a web service as others suggested. Silverlight Ria ships with a full blown authentication membership that you can leverage.