I am architecting a project which uses jQuery to communicate with a single web service hosted inside sharepoint (this point is possibly moot but I include it for background, and to emphasize that session state is not good in a multiple front end environment).
The web services are ASP.Net ASMX services which return a JSON model, which is then mapped to the UI using Knockout. To save the form, the converse is true – JSON model is sent back to the service and persisted.
The client has unveiled a requirement for confidentiality of the data being sent to and from the server:
- There is data which should only be sent from the client to the server.
- There is data which should only appear in specific views (solvable using ViewModels so not too concerned about this one)
- The data should be immune from classic playback attacks.
Short of building proprietary security, what is the best way to secure the web service, and are there any other libraries I should be looking at to assist me – either in JavaScript, or .Net
I’ll post this as an answer…for the possibility of points :)…but I don’t know that you could easily say there is a “right way” to do this.
The communications sent to the service should of course be https. That limits the man-in-the-middle attack. I always check to see that the sending client’s IP is the same as the IP address in the host header. That can be spoofed, but it makes it a bit more annoying :). Also, I timestamp all of my JSON before send on the client, then make sure it’s within X seconds on the server. That helps to prevent playback attacks.
Obviously JavaScript is insecure, and you always need to keep that in mind.
Hopefully that gives you a tiny bit of insight. I’m writing a blog post about this pattern I’ve been using. It could be helpful for you, but it’s not done :(. I’ll post a link sometime tonight or tomorrow.