A WebService is only available as http, but I need https. What's the best technique here?

Question

Yeah, so everyone knows WeatherBug, right? They have this URL...

http://[apicode].api.wxbug.net/weatherservice.asmx

Works great, but they don't supply an https alternative for those on secure connections.

What's the best technique to use here? I know I need to create my own page or service and that way it hits "my" service on https instead, but in the back end it would be pulling down the WeatherBug's service calls.

How would I write that inside of my own web service (asmx)?

This is what I was trying in an aspx page, but it wasn't working...

protected void Page_Load(object sender, EventArgs e)
{
    Response.Write(
        new StreamReader(
            WebRequest.Create(
                String.Format("{0}?{1}",
                    "http://[apicode].api.wxbug.net/weatherservice.asmx",
                    Request.QueryString.ToString()
                )
            ).GetResponse()
            .GetResponseStream()
        ).ReadToEnd()
    );
}

Answer 1

1. Add a service reference to your web project:

   • Right click on the project, select "Add Service Reference..."
   • Supply the address in the dialog, select the service you're interested in.

2. Create a new Web Service in you project:

   • Right click on the preferred folder, select "Add new item..."
   • Select "Web Service", give it sensible name, etc

3. Start coding:

   • If this service is going to be called from script, find the comment at the top of the page that says:

   // To allow this Web Service to be called from script, using ASP.NET AJAX, uncomment the following line.

   • Even if you're not using ASP.NET AJAX, you need to follow that instruction.
   • Create methods that replicate the methods you want to call on the WeatherBug API

The following might give you at start:

// I don't know the WeatherBug Api, but you should get the idea
// Decorate the method as a WebMethod, otherwise you won't be able to call it
[WebMethod]
public string GetLiveWeatherByCityCode(int Length, // Is this an int?
                                       string CityCode,
                                       int UnitType,
                                       string ACode) {
  // Create a new instance of the client that was generated for you
  // when you added the Service Reference, using the name specified 
  // in the web.config (again, added for you by VS).
  using (var client = new 
           WeatherBugServiceClient("BasicHttpBinding_WeatherBugService"))
  {
    // Either return the call directly, or you could process the result before
    // returning it.
    return client.GetLiveWeatherByCityCode(Length, CityCode, UnitType, ACode);
  }
}

You should then be able to call this web method on the web service in the usual way, under https.

Answer 2

You could use something along the lines of Stunnel... or even roll your own SSL proxy

(a simple proxy could be created using RESTful WCF just to redirect the calls)

Answer 3

What is the problem with using HTTP?

If you want to use HTTPS to authenticate the weather information, you're out of luck. If the user is only using HTTP, there's no way to make sure you're talking to it, or making sure you're getting the correct output, if there's any chance of a man-in-the-middle attack. You could have your own middleman routine that communicated with WeatherBug in HTTP and converted to HTTPS, but you couldn't know that your middleman routine was actually getting WeatherBug's data.

On the other hand, if you don't think anybody's going to bother setting up an attack to feed you false data in the hope of making you plan a picnic when it will be raining out, what's the difference between the two?

Answer 4

1. Create a web service.
2. Add Weather Eye's service as a web reference to that web service.
3. Duplicate all of the calls that weathereye has, on your web service, and call weather eyes service from within these methods on your web service and have your web service return the results from weathereyes web service.
4. Host your web service on http/https.
5. Have your clients call your web service.

Your clients where going to have to connect to a web service anyway, so you might as well put this logic in another web service.

Answer 5

What is preventing you from using the HTTP address? Is a device on your network blocking HTTP access?

If nothing is blocking HTTP, you gain nothing by trying to use HTTPS to a "safe" url. (It's not like the weather forcast is proprietary information)