Re: Please Help me- Creating Custom tokens
From: Sumaira Ahmad (sumaira.ahmad_at_gmail.com)
Date: 10/22/04
- Next message: Sumaira Ahmad: "Re: Questions about certificates"
- Previous message: Julie Lerman: "Re: Encrypt request and response with usernametoken"
- In reply to: Softwaremaker: "Re: Please Help me- Creating Custom tokens"
- Messages sorted by: [ date ] [ thread ]
Date: 22 Oct 2004 09:57:03 -0700
I thought of this idea so as to avoid the user being authenticated and
authorized each time he accesses a web method.
Also I want to know when there are so many users accessing the same
web method, there has to be a way by which the server will know where
the request is coming from..something like session tracing...(i dont
know much about it)
In the web Service, the CustomTokenManager will authenticate the user
whenever he sees the Username Token. But the client does not have to
send the username with each request right?? So in that case the server
has to know where the request is coming from.. and also something like
if the client stays idle for a long time, then the session would
expire and he would be asked to login again..
That is why the server will track the time he sends the request, will
also add the username from the UsernameToken and the time when by
which the client should send the next request, put all that info in a
custom token and send it to the client.. Now the client will send the
same encrypted token back to the server so that the server will know
the name of the user after decrypting the token and will put the
latest time on it and encrypt again and send it back..
I hope u understand why I am trying to do this?? Am I all confused??
Is there any other way of doing it???so that the server can track the
user session..especially when he has to handle multiple users at the
same time..
I am myself confused how that could be achieved hence thought of this
design..
Any other ideas?? How do people implement this in WS Security..Do they
do caching???
Thanks,
Sumaira
"Softwaremaker" <msdn@removethis.softwaremaker.net> wrote in message news:<eDaZ1P9tEHA.3916@TK2MSFTNGP10.phx.gbl>...
> "Sumaira Ahmad" <sumaira.ahmad@gmail.com> wrote in message
> news:1627c5ae.0410200817.49a99c8d@posting.google.com...
> > Hi,
> > thanks so much for your time.. Let me explain the scenario here...
> > I will have an ASP.NET Web Application that will interact with Web
> > Services to perform some tasks..
> >
> > The user/client calls the Web Service and also sends his encrypted
> > username token. So before he his given access to the Web Method, the
> > WSE on the Web Service first authenticates him against Active
> > Directory( Using UsernameTokenManagers- Authenticate Method). After he
> > is authenticated in the Web method before the response is sent I will
> > retrieve the groups to which he belongs to and wil verify if he is
> > allowed to access the web method he requested.
>
> [Softwaremaker] Are you trying to implement some sort of security to check
> if an user is allowed access to WebMethods or SOAPMethods.
> Check my replies to this post news:epWfhH9tEHA.3200@TK2MSFTNGP09.phx.gbl and
> news:OqrkZN9tEHA.2116@TK2MSFTNGP14.phx.gbl
>
> WS-Security of WSE2.0 only secures the exchanged messages.
>
> Now the Web server in
> > his response along with other information in the body will send back
> > an encrypted token in the response header. The token will have the
> > username, the groups to which he belongs to and time when the token
> > will expire. The ASP.NET Application will receive the token and send
> > it back untouched when the user requests for another page which may
> > access another method of the Web Service. So then the server will not
> > now expect a username token. It will expect the encrpted token, will
> > check the time has not expired and if not, then it will not be
> > required to again authenticate and authorize the client.
> > So i dont know if I can use Forms authentication..when I am using Web
> > Services..Can I??
> >
> > I am pretty new to all this...I hope I am clear.. Can u please guide
> > me...as to how I can achieve this..
> >
> > Thank you so much,
> > Sumaira
> >
> >
> > "Softwaremaker" <msdn@removethis.softwaremaker.net> wrote in message
> news:<u4GPRimtEHA.2128@TK2MSFTNGP11.phx.gbl>...
> > > Wait a second...am reading your initial post with more detail.
> > >
> > > > In ASP.NET Web Application/We Server...
> > >
> > > Are we talking about a ASP.NET Web Application here or a Web Service
> call
> > > with WSE ?
> > >
> > > If you are talking about a ASP.NET Web Application, Windows and Forms
> > > Authentication provides you that infrastructure right out of the box.
> > >
> > > --
> > > Thank you.
> > > ~Softwaremaker
> > >
> > > ==================================
> > >
> > >
> > > "Softwaremaker" <msdn@removethis.softwaremaker.net> wrote in message
> > > news:OFNFmfmtEHA.3320@TK2MSFTNGP15.phx.gbl...
> > > > Yes, you are free to do implement your own security elements in the
> header
> > > > if you choose to. They are not standards-based though so if you trying
> to
> > > > interoperate with other systems that you have no control of, you may
> run
> > > > into problems.
> > > >
> > > > There may be a security caveat breach though, anyone can do a MITM
> attack
> > > > and replace your custom security token lock-stock-barrel with an
> > > > unauthorized or untrusted one if you choose not to authenticate the
> user
> at
> > > > every method invocation.
> > > >
> > > >
> > > > --
> > > > Thank you.
> > > > ~Softwaremaker
> > > >
> > > > ==================================
> > > >
> > > > "Sumaira Ahmad" <sumaira.ahmad@gmail.com> wrote in message
> > > > news:1627c5ae.0410191841.292c952c@posting.google.com...
> > > > > But i guess that deals with the client sending a custom token
> obtained
> > > > > from a token issuer and using that to encrypt and sign the
> requests..
> > > > > But the problem i want to solve is slightly different since I want
> to
> > > > > send an encrypted token in the header of the response message . The
> > > > > token created by the server has some user info such as his first
> name
> > > > > last name , etc. Will those samples help me??
> > > > > I did have a look at it once, but was wondering if there was an easy
> > > > > way of implementing it.. Looked pretty complicated to me...
> > > > > So u think that can help my implementation??
> > > > >
> > > > > Thanks,
> > > > > Sumaira
> > > > >
> > > > > "Softwaremaker" <msdn@removethis.softwaremaker.net> wrote in message
> news:<uVKjDoitEHA.3448@TK2MSFTNGP09.phx.gbl>...
> > > > > > If you are looking for some custom security token implementations,
> you
> can
> > > > > > check out some of the excellent samples that came with the WSE2.0
> download
> > > > > >
> > > > > > CustomBinarySecurityToken and the CustomXMLSecurityToken samples.
> > > > > >
> > > > > > Some of them uses an implementation of the SCT
> (SecureContextToken) as
> > > > > > outlined in WS-Trust.
> > > > > >
> > > > > > --
> > > > > > Thank you.
> > > > > >
> > > > > > Regards,
> > > > > > Softwaremaker
> > > > > > http://www.softwaremaker.net/blog
> > > > > >
> > > > > > =========================================
> > > > > >
> > > > > > "Sumaira Ahmad" <sumaira.ahmad@gmail.com> wrote in message
> > > > > > news:1627c5ae.0410191230.1e4729e8@posting.google.com...
> > > > > > > Hi,
> > > > > > >
> > > > > > > Please help me know how to do this..
> > > > > > >
> > > > > > > In ASP.NET Web Application/We Server , I want to send back an
> > > > > > > encrypted token from the server to the client. This encrypted
> token
> > > > > > > will contain information such as: Username, groups that he
> belongs
> to,
> > > > > > > timestamp and expiry time. The client would just store this
> token
> and
> > > > > > > send it to the server the next time when it requests a page
> instead
> of
> > > > > > > sending a Username token and getting it authenticated and
> authorized
> > > > > > > again.
> > > > > > > Can someone please tell me how to create an encrypted token on
> the
> > > > > > > server and send it back in the response Soap Header??
> > > > > > >
> > > > > > > Please.. Any help would be highly appreciated.
> > > > > > >
> > > > > > > Regards,
> > > > > > > Sumaira
> > > >
> > > >
- Next message: Sumaira Ahmad: "Re: Questions about certificates"
- Previous message: Julie Lerman: "Re: Encrypt request and response with usernametoken"
- In reply to: Softwaremaker: "Re: Please Help me- Creating Custom tokens"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
