Click here to Skip to main content
16,020,877 members
Please Sign up or sign in to vote.
3.67/5 (2 votes)
I have a business layer written using WCF Data Services (ODATA). I wish to consume them in my web application using JQuery AJAX calls. But my security manager raises concern that jQuery calls can be easily manipulated (and he is right). I want to avoid server side calls as they are costly in terms of postback and page lifecycle.

Please suggest me the fastest way to consume the OData service with effective security. My application needs to run in extranet environment.

Thankyou
Posted

1 solution

Firstly, I have to say your security manager is wrong.This is a Myth.

There is nothing specific in AJAX. It is just a request performed by your browser. It is just general HTTP request and should be secured as any other HTTP request, regardless its XHR nature.

If you maintain proper Authentication and Authorization on your WCF service,You won't have any security issues by using Ajax calls.

The future of the Dev world is Ajax.As an example I can say that SPA enterprise App development.Those apps are developed solely by using Ajax (Or javascript).Check this link for more info : Building Large Scale Apps with Angular and Breeze


Note :
The JSON data must be sent over POST, not GET, which would make it difficult to include the URL in <script> tag
 
Share this answer
 
Comments
Wild-Programmer 11-Jan-14 5:02am    
I agree to you. But the point he raised was that even an authenticated user can open the html markup and manipulate the data section.
Sampath Lokuge 11-Jan-14 6:34am    
What kind of data manipulation you mean ? If you transfer the data through 'post' method, then how can you do that ? If you need more security, you can use 'SSL(https)' for that also with ajax calls.
Wild-Programmer 11-Jan-14 13:28pm    
Let me serve you an example:
$("#btnUpdate").click(function () {
// Convert the form into an object
var data = { UserID: 'CMA', UserName: 'CMA' };
// JSONify the data
var data = JSON.stringify(data);

// Post it
$.ajax({
type: "PUT",
contentType: "application/json; charset=utf-8",
url: "http://localhost:7876/TestWcfDataService.svc/Admins(80)",
data: data,
dataType: "json",
success: insertCallback,
failure: errors
});
});

Now the user can copy this section and change the URL from "http://localhost:7876/TestWcfDataService.svc/Admins(80)" to "http://localhost:7876/TestWcfDataService.svc/Admins(82)". How can we ensure that the data inside the call is not manipulated by the user?
Sampath Lokuge 12-Jan-14 1:48am    
Don't send data on that way (i.e. Admins(80)).Instead of that put that data in a hidden field and then use that hidden field's value for data request through your url.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)



CodeProject, 20 Bay Street, 11th Floor Toronto, Ontario, Canada M5J 2N8 +1 (416) 849-8900