Using Umbraco Base from an External Site & Security
Hello all, I have a few questions about Umbraco /Base that hopefully someone could help me with please.
I have two Umbraco sites and I would like to update the values from another external site, so the only way I could think to do this was to use AJAX calls using Umbraco /Base. Unless anyone else can tell me another way I could update the values of an umbraco site from a completly different umbraco site.
For example I will have a website where the user will login and will list nodes from various umbraco installations. Clicking on one node will allow the user to update a particular value on that node which will be done using an AJAX post using /Base call such as http://mysitetoupdate.co.uk/base/updateNode/1234.aspx
My concern about using /Base from an external website is security as it would be possible to modify/hack the values if you knew the /Base URL to post to.
So does anyone have any ideas/suggestions on about implementing some form of security using /Base with external websites.
What technology are you using on the external site?
From a security perspective, I'd recommend using the web-services (SOAP) API; i.e. /umbraco/webservices/api/DocumentService.asmx (readList and update methods).
If the external site is using .NET, then you can add the DocumentService.asmx as a Web Reference (in Visual Studio) and that should give you IntelliSense for the appropriate objects/classes.
with .Net Webservices you can implement security based services eg you can use client certificates etc. Rest based services like umbraco base have to be protected by the "normal" http security features e.g. IP-based security or username/pwd.
It depends on which level of security you want and in which layer you want to put it.
Rather than have your Ajax call directly to the other server you should have have it call a page on the serving server, this can then make the call to the other Umbraco install server-side. That way you are not exposing your urls to anyone external (well you are if they can monitor your traffic but I'm guessing you are just wanting to hide it from Firebug snoopers). You can add an additional level of security using Thomas' idea of limiting IP addresses. Want to get super secure and you can go the SSL route.
Simply moving "the calls that do the damage" server side should be enough though and dead easy to do.
Using Umbraco Base from an External Site & Security
Hello all,
I have a few questions about Umbraco /Base that hopefully someone could help me with please.
I have two Umbraco sites and I would like to update the values from another external site, so the only way I could think to do this was to use AJAX calls using Umbraco /Base. Unless anyone else can tell me another way I could update the values of an umbraco site from a completly different umbraco site.
For example I will have a website where the user will login and will list nodes from various umbraco installations. Clicking on one node will allow the user to update a particular value on that node which will be done using an AJAX post using /Base call such as
http://mysitetoupdate.co.uk/base/updateNode/1234.aspx
My concern about using /Base from an external website is security as it would be possible to modify/hack the values if you knew the /Base URL to post to.
So does anyone have any ideas/suggestions on about implementing some form of security using /Base with external websites.
Look forward to your ideas.
Warren :)
Hi Warren,
What technology are you using on the external site?
From a security perspective, I'd recommend using the web-services (SOAP) API; i.e. /umbraco/webservices/api/DocumentService.asmx (readList and update methods).
If the external site is using .NET, then you can add the DocumentService.asmx as a Web Reference (in Visual Studio) and that should give you IntelliSense for the appropriate objects/classes.
Cheers, Lee.
Cheers Lee for the reply.
The external site will also be ASP.NET & Umbraco.
But with me not being a .NET ninja (yet), if I use the SOAP web service are there any security risks or things I should consider?
Thanks,
Warren
Hi Warren,
with .Net Webservices you can implement security based services eg you can use client certificates etc. Rest based services like umbraco base have to be protected by the "normal" http security features e.g. IP-based security or username/pwd.
It depends on which level of security you want and in which layer you want to put it.
hth, Thomas
Rather than have your Ajax call directly to the other server you should have have it call a page on the serving server, this can then make the call to the other Umbraco install server-side. That way you are not exposing your urls to anyone external (well you are if they can monitor your traffic but I'm guessing you are just wanting to hide it from Firebug snoopers). You can add an additional level of security using Thomas' idea of limiting IP addresses. Want to get super secure and you can go the SSL route.
Simply moving "the calls that do the damage" server side should be enough though and dead easy to do.
is working on a reply...