Authentication & Authorization
From: Thomas Waldron (ThomasWaldron_at_discussions.microsoft.com)
Date: 09/28/04
- Next message: Ziyang: "Problem calling a WSE 2.0 service through a proxy/firewall"
- Previous message: John Jenkins: "Nonce and Created Values. General Questions"
- Messages sorted by: [ date ] [ thread ]
Date: Tue, 28 Sep 2004 11:59:06 -0700
What is a recommended way using the WSE to handle authentication and
role-based authorization between domain boundaries? (client code in DMZ, web
services on internal server)
More or less, what I'm going for is a series of "service accounts" or
principals that are authorized to call certain web services. I can either
represent these principals as X.509 certs or as a custom username and
password combination.
If I went with X.509, is it sufficient to use WS-Policy/XML files to
restrict what X.509 certs can be used to call a service? Or is it recommended
to store principals and roles in a database, along with the public key of the
cert.
If I go with UserNameToken, I would probably want to override it such that
the client encrypts the password with a symmetric algorithm, and the web
service decrypts, then authenticates against a database where the password is
stored in a salted hashed format, along with the role memberships.
Reasons I would want to change how UserNameToken works:
1) it's only an SHA-1 hash (http://tinyurl.com/5grfd)
2) it requires the password to be persisted somewhere in a plain text, in
order for the web service to reconstruct the hash.
Thank you for any feedback,
Thomas
- Next message: Ziyang: "Problem calling a WSE 2.0 service through a proxy/firewall"
- Previous message: John Jenkins: "Nonce and Created Values. General Questions"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
