Encrypting SOAP with WSE – creating your OWN keys

I just had a thought about what I was working on yesterday with encrypting data that is passed back to a client in a SOAP response. I was using examples from two sources. In those samples, there was a key created in the webservice for encrypting. That same key was added into the client app in order to unlock the encrypted data. I used the sample “to a T”, including the example key. If I didn’t change it, that means that anyone who read the article could create a client that uses the same key and have access to my data. Not really, because the web service also requires authentication… but you get the point, right? It’s kind of like the www.tempuri.com problem. Many people don’t change that “placeholder” URI and leave the possibility (very slight as it may be) that someone accessing two separate web services with functions of the same name and the same namespace (”www.tempuri.com”) will have a definite conflict.

Anyway, time to go change my keys!

  Sign up for my newsletter so you don't miss my conference & Pluralsight course announcements!  

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.