I have two asp.net mvc web applications; one is an ERP system for managing our assets and the other is a scanning service that offers services to scan servers and vms and update the ERP database with the scan result
Now for example inside the scanning service I have the following action method, which can be called by passing a security token & the server name we want to scan:-
public async Task<ActionResult> ScanServer(string tokenfrom, string FQDN) //only the ERP system should be able to call this
{
string Token = System.Web.Configuration.WebConfigurationManager.AppSettings["Token"];//get the token from the web.config, this should be encrypted
if (tokenfrom != Token ) // check if the request is authorized by checking comparing the 2 tokens.
{
return new HttpStatusCodeResult(403, "request failed");
}And the above action method will be called from the ERP system using the following action method:-
[HttpPost]
[CheckUserPermissions(Action = "", Model = "Admin")]//check if the user is defined as an admin inside my custom authorization system
public async Task<ActionResult> Scan()
{
try
{
string currentURL = System.Web.Configuration.WebConfigurationManager.AppSettings["scanningURL"];
string token = System.Web.Configuration.WebConfigurationManager.AppSettings["Token"];
using (WebClient wc = new WebClient())
{
string url = currentURL + "home/scanserver?tokenfrom=" + token + "&FQDN=allscan" ;
var json = await wc.DownloadStringTaskAsync(url);
TempData["messagePartial"] = string.Format("Scan has been completed. Scan reported generated");
}
}As shown above to secure the interaction (in other words to make sure that any scan request received by the scanning service application, is coming from the ERP system only) , I am passing a security token which will be stored inside the web.config files on both applications (and we will be updating the token frequently). So can anyone advice if using my approach considered secure ? baring in mind that I am using https for both applications?
