Re: SSL for very simple security need in web service app

Cesar,

Thanks for the info. There is only a single end point here, a web service
app that simply takes order info, validates it and applies it to a database.
The clients are a variety of apps that will want to send a simple XML
formatted data stream as a single chunk over https: to the web service
address, and then process a simple reply. This is a small business taking
orders from other small businesses.

I would think this is a common need in the industry -- not at the enterprise
level, perhaps, but for the millions of small businesses out there that I
deal with, this is a common scenario. All of the talk about WSE, WCF and so
on tends to cloud the basic issues for the simple scenarios.

Thanks again for your help.

Rob Schripsema
DeWaard and Jones Company


"CESAR DE LA TORRE [MVP]" <cdltll@xxxxxxxxxxx> wrote in message
news:56D711A9-34C6-4C94-B9D3-49F570D7A3DF@xxxxxxxxxxxxxxxx
> If you have a simple scenario, and just end-to-end communication (you do
> not
> have several end-points or middle end-points, and I mean Web-Services
> Servers
> end-points), then, SSL might be enough for you.
> About WSE 3.0 and WCF in the future (Windows Communication Foundatio, code
> name as Indigo), when talking about security, it offers security at
> message
> level instead of security at transport protocol level (like SSL). It is
> better for complex scenarios, middle points WebServices where you don't
> want
> to trust at transport level, so, you can encrypt and signg at message
> level.
> With theses new technologies you also have new standars for complex
> communications like WS-SecureConversation, etc.
>
> So, if you have a very simple scenario, SSL might be OK. And of course, it
> is secure enough (if you want more security with SSL, use a 128bit Server
> Certificate, do not use a 64bit Server Cert.).
> --
> CESAR DE LA TORRE
> Software Architect
> [Microsoft MVP - XML Web Services]
> [MCSE] [MCT]
>
> Renacimiento
> [Microsoft GOLD Certified Partner]
>
>
> "news.microsoft.com" wrote:
>
>> My apologies....
>>
>> That last note went out with a user name of "news.microsoft.com".
>> Apparently
>> my news reader was misconfigured. It was really from me.
>>
>> Rob Schripsema
>> DeWaard and Jones
>>
>> "news.microsoft.com" <rob@xxxxxxxxxxxxxxxxxxx> wrote in message
>> news:%23vYoIE30FHA.2212@xxxxxxxxxxxxxxxxxxxxxxx
>> > I'm looking for a nudge in the right direction.
>> >
>> > We have an order processing system that currently has a simple ASP.NET
>> > web
>> > interface. Various clients who want to place orders already have a
>> > userID
>> > and password specified within our application (i.e., not Windows
>> > authentication) that they must supply in order to logon to their
>> > 'account'
>> > and submit orders for themselves. They communicate from a browser over
>> > the
>> > public internet. The browsers/server utilize SSL for encrypting the web
>> > traffic.
>> >
>> > We'd now like to implement this functionality as a web service to
>> > interact
>> > with some desktop applications that can generate orders. We'd like to
>> > have
>> > the remote app simply transfer the data, presumably in an XML format
>> > that
>> > we already have defined, over the public internet, providing their
>> > userID
>> > and password.
>> >
>> > My question is: if we just add the userID and password in the XML
>> > schema/data, is the SSL layer sufficient to ensure that anyone who
>> > might
>> > intercept the traffic en route would not be able to determine the
>> > UserID
>> > and password? Once we have the XML data in our app, it would be a
>> > trivial
>> > matter to determine if the data is coming from a source that had a
>> > legitimate, active UserID and a valid password. And that's pretty much
>> > all
>> > we'd need.
>> >
>> > I read about WSE, WS-Security, etc. and it all seems like so much
>> > overkill
>> > for my needs -- but I can't locate a single, simple scenario that looks
>> > like what I have in mind here.
>> >
>> > Any direction would be greatly appreciated!
>> >
>> > Rob Schripsema
>> > DeWaard and Jones Company
>> > Bellingham, WA
>> >
>> >
>> >
>> >
>>
>>
>>


.

Relevant Pages

  • Re: Are ASP.NET user interfaces essentially dead now?
    ... it will be tight enough that you can't call SQL ... takes longer to develop ASP.NET interface than a windowsform app ... And communicating with a Web Service is not required the ... > I see Winforms doing the major amount of interface work and leaving the ...
    (microsoft.public.dotnet.framework.aspnet)
  • Re: How do I terminate CWinApp application?
    ... needs to load a scenario before it starts. ... app alive until the user says exit is preferable). ... having an additional CView-derived class, and if there was a syntax error, I'd bring up ...
    (microsoft.public.vc.mfc)
  • Re: Going crazy trying to understand Web Services behaviour with static member fields, static classe
    ... is loaded for the life of the app domain (ASP.NET can recycle the app domain ... if I launch the exe 2 or more times each exe sees different things ... I think a web service is like a web page, so it lives only for the ...
    (microsoft.public.dotnet.languages.csharp)
  • Re: Cant find item in server side cache
    ... Then I used the url for web service when it was originally created which was ... So the web service and aspx ... page really were running in different instances of the web app. ... the web service returns the GUID back to the winform via the WS ...
    (microsoft.public.dotnet.framework.aspnet)
  • Re: Writing to registry
    ... > I thought we were talking aboout a multiple user scenario. ... and those that the App is interested in. ... [I am in agreement with you considering the Registry, ... isn't as fragile as many would have you believe, but it is a shared resource ...
    (microsoft.public.vb.general.discussion)