Re: web service security
From: casey chesnut (casey_at_MORE_spam_PLEASEbrains-N-brawn.com)
Date: 07/22/04
- Next message: Richard Northedge: "problem with System.Management.dll used by a web service"
- Previous message: General Protection Fault: "Re: CSharpCorner Just Published My Article : Multithreaded XML Document for Read/Write Access"
- In reply to: Dale: "Re: web service security"
- Messages sorted by: [ date ] [ thread ]
Date: Thu, 22 Jul 2004 10:54:01 -0500
WSE will do Xml-Encryption as well.
casey
"Dale" <DalePres@eMmeSseNn.com> wrote in message
news:2C97DFBD-A9A9-4D3C-B8FD-B7F626B52CCC@microsoft.com...
> You may also want to look into Soap Extensions. With Soap Extensions you
could encrypt the entire message and not only would the hacker be unable to
interject false values, he would be unable to read the transmitted data as
well.
> --
> Dale Preston
> MCAD C#
> MCSE, MCDBA
>
>
> "casey chesnut" wrote:
>
> > yes, by adding an Xml-Signature.
> > a Signature would be used to sign the transaction #.
> > when the message was intercepted, and the transaction # was changed,
then
> > the signature would break.
> > the server would try to verify the signature, it would fail, and it
would
> > stop processing this request.
> > you can do this today with WSE 2.0.
> > the client would pass a UsernameToken which had signed the message.
> > i believe there is a WSE sample called UsernameSigning which does
exactly
> > that.
> > all you would have to do is add the Transaction header, and make sure
that
> > the element was signed to.
> > the WSE docs show how to sign additional elements of the SoapMessage.
> > Thanks,
> > casey
> > http://www.brains-N-brawn.com
> >
> >
> > "chuck" <chuck@discussions.microsoft.com> wrote in message
> > news:9733D5EF-AAE9-4C77-8604-6145D4D11D8C@microsoft.com...
> > > I have a question about the security of soap message.
> > >
> > > Let say someone sent a soap message of a store's daily-transaction
across
> > network with soap header containing username and hash password.
> > >
> > > Then a spy stole the soap message and assumed username and hash
password
> > is good. Change the number on the daily-transaction and resent it to the
web
> > service. Is there some way we can prevent this from happening?
> > > tks,
> > > chuck
> >
> >
> >
- Next message: Richard Northedge: "problem with System.Management.dll used by a web service"
- Previous message: General Protection Fault: "Re: CSharpCorner Just Published My Article : Multithreaded XML Document for Read/Write Access"
- In reply to: Dale: "Re: web service security"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
