April 26, 2007

Using secure WebServices

One of my projects these days is developing a WinForms application that talks to a server via web services. Pretty standard stuff.

I finally got to the "Secure web services" task. No problem, also pretty standard stuff. And it is...if you can find the info.

First step: Secure your web service with an SSL certificate. If you are developing on Vista and using IIS7 -- congratulations, you get this for half price. Go see ScottGu's article titled: Tip/Trick: Enabling SSL on IIS 7.0 Using Self-Signed Certificates

5 minutes later -- step one complete.

Step two: check my application to see if everything still works.

5 minutes later -- utter failure!

The app blows up all over the place. I act like this is unexpected, but it isn't. You can't make a change like that without a few casualties. When you sign onto a web site with a certificate you are usually asked if it is OK to accept said certificate. But I aint writing a web browser, I just want to accept the certificate (if there is one) OK Google, don't fail me now...

Anyway, after some searching I found a nice post by some guy named Jan at http://weblogs.asp.net/jan/archive/2003/12/04/41154.aspx
where he talks about the problem.

I go to implement it and find out the method calls he is using are obsolete as of .Net 2.0.
The old method to use was System.Net.ServicePointManager.CertificatePolicy.
The new method to use is System.Net.ServicePointManager.ServerCertificateValidationCallback

By the time I had found that I had, once again, given up on Google and gone straight to MSDN Forums. Actually, I was using MSDN's search feature -- but luckily it also searches the forums.

So anyway, if you are looking to accept a cert on your client app here is some code for you.

// add this to your code before you make your web service call.
System.Net.ServicePointManager.ServerCertificateValidationCallback +=
delegate(object sender, X509Certificate cert, X509Chain chain, SslPolicyErrors sslError)
{
bool validationResult = true;
return validationResult;
};

BTW, has everyone noticed that you can now add information to MSDN? Very cool. I added this code snippet to the MSDN documentation -- just in case they don't read my blog.


kick it on DotNetKicks.com
Posted by at
Labels: , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)