1. Sally D
  2. PowerBuilder
  3. Monday, 12 November 2018 11:36 AM UTC

Hi all,

We now use PB2017R3 to migrate the PB12, using .net assembly as webservice to replace the EA server. One concern is that the security issue about the webservice. Do you have any good suggestion about the web service security in PB?

Armeen Mazda @Appeon Accepted Answer Pending Moderation
  1. Monday, 12 November 2018 17:38 PM UTC
  2. PowerBuilder
  3. # 1

I would recommend deploying your Web services using the new C# Web API feature to be released in PB 2018 on Dec 31, 2018.  It supports OAuth, which is more secure way to do authentication than passing username/password.  https://www.appeon.com/pb2018.html

Also, added to PB 2017 R3 is a number of security features, such as symmetric/asymmetric encryption, key generation, and hashing.  Of course, HTTPS (TLS 1.2) has been supported since the first release of PB 2017, and it goes without saying all your HTTP communication should be using TLS 1.2 or higher for security reasons.  

Comment
There are no comments made yet.
Luke Chase Accepted Answer Pending Moderation
  1. Monday, 12 November 2018 13:58 PM UTC
  2. PowerBuilder
  3. # 2

The .NET core webservice has a feature called Middleware. You can use built-in middleware provided by Microsoft or create your own as well. https://docs.microsoft.com/en-us/aspnet/core/fundamentals/middleware/?view=aspnetcore-2.1 . The middleware is a series of steps the request goes through before/while hitting your actual endpoints, and allows you to stop the request should something go wrong.

Any official or custom middleware you use is added in the Configure() method of the Startup.cs object, for example "app.UseMiddleware<BasicAuthenticationMiddleware>();" to use a custom one you've created or downloaded. We're using a custom-created middleware at my shop that does API key-based authentication. When your endpoint is hit for the running webservice, the HttpContext steps through each middleware's Invoke() method, where you can specify if the request should continue or fail. Here's an example:

/// <summary>
/// Handles basic authentication
/// </summary>
public class BasicAuthenticationMiddleware
{
    private readonly RequestDelegate next;

    // A collection of API keys for use with BasicAuthorization with API keys
    private readonly IEnumerable<string> apiKeys;

    public BasicAuthenticationMiddleware(RequestDelegate next, IEnumerable<string> apiKeys )
    {
        this.next = next;
        this.apiKeys = apiKeys;
    }

    public async Task Invoke(HttpContext context)
    {
        string authorizationHeader = context.Request.Headers["Authorization"];

        if (authorizationHeader == null || !authorizationHeader.StartsWith("Basic")
        || !BasicAuthentication.AuthenticateApiKey(authorizationHeader, apiKeys))
        {
            // authentication has failed, exit request and return a status code + headers

            context.Response.Headers.Add("WWW-Authenticate", "Basic realm=\"realm\"");
            context.Response.StatusCode = 401;
            return;
        }

        // we're good to go - call the next Middlware's Invoke() method
        await next.Invoke(context);
    }
}

The order that the middleware runs in is the same order that you've specified them in the Configure() method of Startup.cs, so you'll likely want an error handling middleware first and then some authentication middleware to add security to the service.

Comment
There are no comments made yet.
  • Page :
  • 1


There are no replies made for this question yet.
However, you are not allowed to reply to this question.