So I am looking at the web services in umbraco and I notice that the service takes the username and password of a user to authenticate. They are sent in plain text. This seems like a huge security hole as any application that leverages the services could sniff the password of an account that has create/edit permissions. Once they have that, then the entire site could be compromised.
I need access to secure services.. Do I need to modify the services project in the core? Am I missing something?
Not quite following the scenario where someone would be able to sniff your passwords. Do you mean installed packages, or hiw would the traffic get sniffed?
I guess one solution is to use https when calling the webservices, which would make the connection secure?
We have silverlight controls that previously spoke to another provider. We have decided to proxy the existing web services instead of import the API into WCF. I dont want to introduce https to this domain.. I have some work to do.. bleh.
So the take away is that people should not use the web services in production without enabling https.. Dont love it, but I have enough to find a way around this for now. Thanks.
web services security
So I am looking at the web services in umbraco and I notice that the service takes the username and password of a user to authenticate. They are sent in plain text. This seems like a huge security hole as any application that leverages the services could sniff the password of an account that has create/edit permissions. Once they have that, then the entire site could be compromised.
I need access to secure services.. Do I need to modify the services project in the core? Am I missing something?
Not quite following the scenario where someone would be able to sniff your passwords. Do you mean installed packages, or hiw would the traffic get sniffed?
I guess one solution is to use https when calling the webservices, which would make the connection secure?
We have silverlight controls that previously spoke to another provider. We have decided to proxy the existing web services instead of import the API into WCF. I dont want to introduce https to this domain.. I have some work to do.. bleh.
So the take away is that people should not use the web services in production without enabling https.. Dont love it, but I have enough to find a way around this for now. Thanks.
Does umbraco support WCF Restful web services. basically this requires adding code to the global.asax file. something like this:
can anyone answere this? i think i read somewhere that "Global" isn't accessible since Umbraco initializes this class.
Bump again. can anyone answere this? i think i read somewhere that "Global" isn't accessible since Umbraco initializes this class.
is working on a reply...