I need to recover some server-info from JavaScript (ansynchroniously) so I need any exposed method on the server that could be called from the client. I've seen that there are 2 ways to do this (without using, the easy-fashion UpdatePanel):
WebService
PageMethods
I just don't know what to choose. Most solutions I've seen around the .net community are based upon the use of WebServices but I think that exposing a WebService may cause a lack of security (anyway, I dont know if it's possible to forbid access to the .amsnx file directly from the browser).
Thankyou!
nach_:
I dont know if it's possible to forbid access to the .amsnx file directly from the browser.
It isn't. When using webservices it is the browser which is accessing the the webservice, so forbidding it would prevent the method from working. You could make the webservice call inject a special header in the HTTP request, and check for its existence on the server, but that's about it (well, you could create a more advanced security system, but that also means more overhead).
Webservices are (a lot) less resource hungry than PageMethods, since PageMethods bring along the viewstate and basically instantiate everything on the page as if there was a regular postback in action. PageMethods should only be used if the state of the page is relevant in the call.
Thankyou for your answer gunteman!
The first thing is clear, if you forbid access to .amsnx then nothing will work, great.
What I don't understand is why WebServices are less resource hungry than PageMethods. Far as I know, PageMethods only allow static methods to be exposed so I don't understand why the state of the page may be relevant in that cases (hope I've explained).
Thankyou again!
Whoa! It seems PageMethods have changed since I abandoned them (they used to be non-static and heavy as hell).
Well, then it seems the most logical argument for using webservices is re-use, if the method is to be used from several pages.
That's what I thought but if not reuse is needed then maybe the good option is to use PageMethods (at least are less accessible for possible leechers than webservices, or not)?
Thankyou again!
You could definitely use PageMethods, but bear in mind that they are just as leechable as webservices. The calling mechanism is (now) basically the same as when using webservices. However, if you use some kind of login on your website, the PageMethods will be protected from non-authenticated users (or however you define your security). The same is true for webservices if so defined.
No comments:
Post a Comment