Re: WSE 2.0 Custom Authentication

From: Softwaremaker (msdn_at_removethis.softwaremaker.net)
Date: 06/22/04


Date: Tue, 22 Jun 2004 21:07:01 +0800

Hi Greg,

I understand your concern. If you are sending multiple messages (> 2) to a
service, you may want to look at the Security Context Token (SCT) that is
implemented with WS-SecureConversation. Look at the working samples for an
idea. You can also find in the newsgroups few postings (some of them by me
;)) that relates to WS-SecureConversation. There are a 2 models for
WS-SecureConversation. One where the SCT Issuer has the same host and
endpoint as the Service itself and one where it is different. There are
working samples in the examples.

The SCT in WS-SecureConversation is optimized for a Conversation-Like model
where multiple secured messages are exchanged. Symmetric Key Tokens are used
in this case to cut down on processing power.

I also agree with you that the documentation has been *crappy* and
inaccurate. Again see some of my posts in this newsgroup with regards to the
poor documentation of WSE2.0RTM.

hth.

-- 
Thank you very much
Warmest Regards,
Softwaremaker
Architect | Evangelist | Consultant
+++++++++++++++++++++++++++++++++
"Greg" <na> wrote in message news:u$$mwHFWEHA.4048@TK2MSFTNGP12.phx.gbl...
> Hi Jag, thanks for the reply. I ended up getting it working, I just
overrode
> the AuthenticateToken method.   I found the most difficulty in configuring
> the web.config :)   I was trying to do it manually and kept running into
> problems. Unfortunately a lot of the documentation doesn't explain what
the
> settings are for in the web.config very well (at least not what I was
> looking at).  I ended up using the visual studio add-in tool to configure
it
> and everything has worked.  Also, I had to update the web references
several
> times.
>
> My user authentication method is as follows:
>
> protected override string AuthenticateToken(UsernameToken token)
>   {
>
>    ClassLib.User User; // My custom user class
>
>    string sConnString =
Utilities.ReadAppSettings("AdminConnectionString");
>    User = new ClassLib.User(sConnString);
>
>     // Queries Db to see if userId is valid
>    if(User.GetUserAuthentication(token.Username, token.Password) >0)
>    {
>         return token.Password;
>    }
>    else
>    {
>         return "";
>    }
>   }
>
> One thing that I don't like about this is that it has to authenticate the
> user each time, which means a trip to the db each time. I may end up
> creating a hash table to store all the authenticated users and search that
> before querying the db.  The only downside there is if a user changes a
> password (or user is deleted), I will have to make sure the hash table is
> updated accordingly.
>
>
> ----- Original Message ----- 
> From: "Jag" <jagdeepsahdeva@hotmail.com>
> Newsgroups: microsoft.public.dotnet.framework.webservices.enhancements
> Sent: Monday, June 21, 2004 8:15 PM
> Subject: Re: WSE 2.0 Custom Authentication
>
>
> > Hi Greg
> >
> > I am trying to do a similar implementation. You can have a look at the
> > CustomXmlSecTokencode sample (check under the WSE 2.0 install
directory).
> I
> > have had no luck getting the sample to work. You may see some of my
> posting
> > but I am still waiting for some help. Thats all I can help with.
> >
> > Regards
> > Jagdeep
> >
> > "Greg" <na> wrote in message
> news:%23zgR4M6VEHA.1952@TK2MSFTNGP12.phx.gbl...
> > > I would like to implement custom authentication using WSE 2.0 . I have
> > > downloaded the HOL but all the examples seem to use a windows
> > authentication
> > > system which is not possible for me.
> > >
> > > My thought would be to override the "AuthenticateToken" method
(similar
> to
> > > what is in the WebSecurityHelper.cs example), perform a database
query,
> > etc.
> > > However, I'm guessing I would still have to get a valid token in order
> for
> > > this to be useful (though the method just returns a string, so I'm not
> > > sure-- still trying to get my head wrapped around it).  Has anyone
> > attempted
> > > something like this? Am I heading in the right direction?
> > >
> > > Thanks,
> > >     Greg
> > >
> > >
> >
> >
>
>