Access db via web service - asp.net

Is it efficient using a web service to access database objects?
I'm developing a win phone app and a web app. Both of them will use the same db. Should I create one web service for two apps?

A shared webservice is definitely the right way to go. That's really the point of a service, to be able to access the same business and data logic from multiple places (assuming both places are doing the same thing of course). It also acts as a natural security buffer between your app and database - so your database only needs to accept connections from the service, as opposed to multiple client applications.
As far as the technology, since both of your clients are Microsoft, you can use WCF as your service as opposed to a traditional SOAP service. Or you can go with something more universally accepted, like WebAPI with JSON. Lots of options there.

Related

Securing a database using web service

I have a SharePoint application that needs to integrate with very sensitive databases. The data required is from multiple databases; almost 40 different databases on different servers.
The suggested design was to have a web service to integrate with, which will then connect to the required database based on the required business logic. However the concern is, if someone somehow got access to the server hosting this web service, all the database connections will be there.
Another suggestion was to have a dedicated web service for each database. This way even if someone got access to this web service, only one database connection will be there.
The question is, is there any known design that can work for this situation to add more security to the database connections?
The answer really depending on your specific requirements. an easy way of doing so is to use "Open Data Protocol" OData. and then secure it with windows directory login, or perhaps ASP.NET login.
take a look at http://www.odata.org/ and http://msdn.microsoft.com/en-us/library/ff478141.aspx

Website with Wcf service

I'm new to web services. i'm developing a project that includes a website for introducing information (backoffice), and that information will be send to mobile devices.
My Question is, is better to create a website that connects to the database to insert and update information and then create a webservice only for the mobile devices to get that information, or create a webservice that does all the work?(website and mobile devices connected to webservices).
Thank you
There are many solutions and which you choose depends on how your application will be used.
In any case it is always good to have reusable code, and having single service tending to both web and mobile applications would be good.
If your application is write intensive, data which is passed between user and the website is critical and data integrity must be preserved, then you should go for a single service which runs in the background, takes care of integrity and provides data retrieval and modification methods to clients (web/mobile/desktop applications).
If your application is read intensive, will be mass deployed, with tens or hundreds of thousands of clients, then you should go for each web application which connects directly to database. In this case you need to sacrifice data consistency, because writes made on one node of the web application will not be instantly visible on others. Using this method, when you need to scale out you can add replicated database nodes, and new web application nodes that connect to them.
If you have a client application running on a mobile device, you want a web service. I recommend a RESTful one using JSON. If you want to access this functionality from a computer browser, you'll want a website - which could be accessed from a browser on a mobile device.
The trade-off is accessibility vs. quality of the client application. A website may work great from a computer browser, but may not be well-suited for mobile access. The website would be a single solution though. If you use a web service, you need a mobile application to consume it (presumably for multiple platforms), plus either a desktop application to consume that web service or a website to run in a browser...
In my opinion. You should go with Services Based Architecture. You can use WCF /Asp.net Webapi on MS Stack. Using Services either SOAP Based or REST gives you more Flexibility and a degree of scalability for the consumers to consume your service.
Hope this helps.

Need a service to handle multiple connections to 1 database

I have a SQL Server database which serves multiple ASP.NET web applications. They each have their own SiteID to distinguish the data.
I recently realised that it isn't good practice to have multiple applications accessing one database directly and decided I would implement a service to handle all database connections.
All the web applications and database sit on the same windows 2008 server.
I want to know what kind of service is best for this functionality. web service or windows service? In a previous job they seemed to have a windows service that ran on the server, what are the advantages of this over a web service?
While it's certainly ok to have multiple applications accessing one database, I think what you mean is you are trying to avoid duplicating all your data access and business logic in multiple web sites. In other words, you would rather have a centralized service where you can update all the applications at once.
It sounds like you want a WCF service, which will let you run either as a web application under IIS -OR- as a self-hosted Windows service. There is a bit of a learning curve if you've never done WCF, but it is well worth learning.
WCF under IIS, you get the same benefits as you get with running any web site. Application lifecycle management, maintenance using the IIS mms plug-in, running under a specific pool identity, etc.
As a Windows Service, you manage through the Services mms, and you have to manually write a little more code (just a little) to handle the service startup and shutdown, and of course you don't get the application lifecycle management that you do with IIS.
Which you choose may depend on how much security access you have to the server, and which tools you are allowed to run. If you have full access to the server, I prefer the IIS way, but that's totally subjective.
Windows Service vs Web Service is apples vs oranges... A windows service doesn't serve up data on its own...
So here are some options:
Data Access in traditional Code
It sounds like this is what you have. As long as this is a logically separate layer, this probably isn't too bad.
Services
Using services has a lot of advantages such true separation of concerns / implementation. You can even have your service implemented in a different language / platform than your client app. A downside might be performance. You're likely going to have to serialize / deserialize data and that takes cpu cycles any way you slice it.
Interface Driven Approach
This is nice because you can write your data access in your application against an interface. That interface can be implemented by "traditional" ADO / ORM code. Or you can consume a web service. This has the distinct advantage of separating the UI from data and making automated unit testing much easier.

Is it more secure to put data access in a web service rather than a class within the current project?

We have a few projects that we put all the data access in a separate web service project and the parent project will call the web service for everything data related. The web service will only accept connections from the web project server. My assumption is that the web service would be less susceptible to intrusion this way. I'm not really sure this is correct.
Is this more secure than just putting the data access in a class or dll within the parent project?
NOTE
Developers above me made this decision.
I don't see that as an effective way of securing your database. Of all the various ways that exist to protect your data layer, I don't think that moving calls from a class library to a web service is an effective way to protect yourself.
A better approach would be to make sure that you use parameterized queries or stored procedures to prevent SQL injection, and limit the privileges of your logins to only the operations that they need to perform.
However, there would be other arguments for having data access in a separate web service... such as re-usability, or a service-oriented architecture. If the same data access layer is needed from a variety of projects on multiple servers, by having the web service you wouldn't need to have the same class library duplicated all over the place... which would cause you to worry about which project has which version of your data access layer.
So, more secure? I don't think so... Other benefits? Probably...
Short answer: Yes
Longer answer: My assumption is that the web server that is exposing the services is behind its own firewall. Doing it this way insulates the database from intrusion by forcing hackers to go through another layer if they were able to compromise your application servers. Since the database connection strings do not exist on the app server, and a firewall prevents direct connections from that server to the database, the hackers would need to somehow puncture that firewall and gain access to the server that is hosting your data services.
Now, I also assume that the web services are not simply exposing methods like
execute(string sqlCommand)
if that's the case, then this solution might actually less secure than simply using a database without the web services. For this solution to truly be more secure you would want to create operation-specific methods on the web service server.
A DLL can't be accessed and executed from the Web, so far as I know. A Web service can. If that's true, the class library referenced by a Web project (or even a Web Service) is more secure than a Web service encapsulating that logic directly.
Further, there's the whole notion of Separation of Concerns. In my mind, data access logic belongs on a separate tier, completely separate from business logic. In a well designed architecture, Web services expose discrete methods that represent business transactions--not necessarily data transactions. Business transactions encapsulate one or more data transactions, which are represented by separate classes that encapsulate the data access logic and provide the security to ensure that SQL injection never occurs.
Others, naturally, may disagree. We're developers. It's our nature to disagree. :)

Web Database or SOAP?

We’ve got a back office CRM application that exposes some of the data in a public ASP.NET site. Currently the ASP.NET site sits on top of a separate cut down version of the back office database (we call this the web database). Daily synchronisation routines keep the databases up-to-date (hosted in the back office). The problem is that the synchronisation logic is very complex and time consuming to change. I was wondering whether using a SOAP service could simply things? The ASP.NET web pages would call the SOAP service which in tern would do the database calls. There would be no need for a separate web database or synchronisation routines. My main concern with the SOAP approach is security because the SOAP service would be exposed to the internet.
Should we stick with our current architecture? Or would the SOAP approach be an improvement?
The short answer is yes, web service calls would be better and would remove the need for synchronization.
The long answer is that you need to understand the technology available for you in terms of web services. I would highly recommend looking into WCF which will allow you to do exactly what you want to do and also you will be able to only expose your services to the ASP.NET web server and not to the entire internet.
There would be no security problem. Simply use one of the secure bindings, like wsHttpBinding.
I'd look at making the web database build process more maintainable
Since security is obviously a concern, this means you need to add logic to limit the types of data & requests and that logic has to live SOMEWHERE.

Resources