We have upgraded our support system to serve you better.
For Support, please go to our Momentive Support Hub located here.

Skip to main content
  1. NetForum Support
  2. xWeb
  3. Using xWeb

xWeb: Recommendations

Updated
 
 

xWeb: Recommendations

This topic discusses various recommendations from Abila for setting up your xWeb site.

Secure Sockets Layer

Transport Layer Security (TLS) 1.2 is a protocol designed to enable secure communications on an insecure network such as the Internet. The use of NetForum xWeb to exchange NetForum data should only be used over TLS. TLS allows a secure connection between your web server and the web client. TLS provides encryption and integrity of communications along with strong authentication using digital certificates.

TLS provides for a secure transmission but does not ensure the data that is actually being sent.

Abila recommends that all NetForum xWeb transmissions occur over TLS and that use the NetForum XML Secure interface.

The secure interface is at the following URL:

http://www.mynetforumsite.org/xweb/secure/netForumXML.asmx

The domain (www.mynetforumsite.org) is the domain where you installed NetForum. This site is configured in IIS to allow for anonymous access, but all the web methods require program authentication.

This interface has two layers of security:

  • provides for authentication
  • provides for authorization

Authentication

Authentication is the facility by which NetForum attempts to confirm that the xWeb User who is attempting to invoke xWeb SOAP operations is in fact the user who is authorized to do so. Once authenticated, NetForum will now track the authenticated user should this user invoke operations that updates existing data or that create new data.

Authorization

Authorization is the facility by which NetForum allows authenticated users access to the objects and data that the NetForum administrator has assigned to the user via NetForum security. Authorization must have authentication but the same is not true for the reverse. In the NetForum XML Secure interface, proper authentication and authorization is a requirement.

Encryption

NetForum xWeb has an additional symmetric TripleDES (CBC) encryption class (with CBC and PKCS#7 padding) that can be customized - please contact Abila for more information. All financial data should at a minimum be sent over TLS, use the NetForumXML Secure interface, and have TripleDES encryption enforced (cipherText).

HTTP Post and Get

Since NetForum xWeb is a WSDL that can exchange data via HTTP POST, HTTP GET, it is recommended you turn this off and only exchange data via SOAP packages. To turn this facility off, configure your xWeb web.config file and make this change:

<system.web>
<webServices>
<protocols>
<remove name="HttpPost" />
<remove name="HttpGet" />
</protocols>
</webServices>
</system.web>

The default feature in .NET is for the WSDL to accept all three protocols.

SOAP settings

It is possible to turn off the SOAP1.2 binding. In tests, some SOAP1.1 parsers cannot interpret the new SOAP specification. The .NET framework automatically detects the version of the SOAP packet, to turn off the SOAP1.2 binding, make this change in the xWeb web.config:

<system.web>
<webServices>
<protocols>
<remove name="HttpSoap1.2"/>
</protocols>
</webServices>
</system.web>

User Setup and Security

The xWeb User account that accesses NetForum via xWeb needs sufficient read (and possibly write) privileges to do the job. But you'll want to limit your exposure to provide no more access than needed. See this page for instructions and best practices on how to configure security.

Was this article helpful?
0 out of 0 found this helpful

Articles in this section

See more