Passing tokens down multiple layers of web services

Tech-Archive recommends: Repair Windows Errors & Optimize Windows Performance

From: Bjorn Bjanger - Abeo (pingdog_bwb_at_msn.com)
Date: 11/23/04 

Date: Tue, 23 Nov 2004 12:04:14 +0100

Hello...

I'm facing a challenge in designing a Service Oriented Architecture based on
WSE 2.0 SP1.

The architecture uses .Net web applications as clients, running with windows
integrated security and impersonation=true. A soapoutputfilter creates a
Kerberostoken for the current user, and adds this token to the messages,
carrying the identity of the user. All webservices are protected by a
soapinputfilter authenticating and authorizing the user(using AzMan for
authorization). Webservices are running anonymously without impersonation.

This works very well when dealing with only one layer of web services.
Here's the challenge, though: Normally, an application uses several layers
of web services. The soapoutputfilter of the topmost web service has no
means of creating a Kerberos token for the user, as this stops in the
soapinputfilter (or really in the webmethod). A call to a secondary
webservice is performed within the context of receiving a call from a
client.

Is there a way to pass on the token from the inputfilter of a webservice to
the outputfilter, when calling the next webservice?

In WSE 2.0 prelease, there was an object called
SecurityTokenCache.GlobalCache, but this has disappeared in WSE 2.0 SP1.
Session objects are not available in the filters, so that's not an option.
Database is not an option, cause then you would need to pass the key from
inputfilter to outputfilter, and you have the same problem again.

My idea was that as you are in the context of a call from a client, the
ResponseSoapContext from the incoming call should be available in the
outputfilter, but this doesn't seem the be the case.

Has anybody encountered and solved this problem? I would appreciate any tips
or pointers!

Best regards,
Bjorn Bjanger, SeniorConsultant Architecture and Identity Management,
Abeo.no

Relevant Pages

  • Re: WSE352 Size of the record exceed its limit
    ... The webservice is a WSE service component soap client. ... you're developing an .net webservice which uses WSE ...
    (microsoft.public.dotnet.framework.webservices)
  • Re: No WSE Proxies
    ... you have an ASP.NET webservice which use WSE 3.0 and another client application which call this webservice. ... Based on my understanding, this is possibly occured for autogenerated web service proxy, so is your client applicationan ASP.NET web application also? ...
    (microsoft.public.dotnet.framework.webservices.enhancements)
  • RE: Sending a WSE 2.0 security SOAP request from HTML client VBScr
    ... > Welcome to webservice newsgroup. ... > generate it just through string operations, however the WSE message will ... > server page code to call the webservice, this will make the client script's ... Sending a WSE 2.0 security SOAP request from HTML client VBScript ...
    (microsoft.public.dotnet.framework.webservices)
  • 130Mb dime attachment
    ... I've created a small application to transfer files between a client and a ... webservice using DIME WSE 1.0SP1. ... The strange thing is, that when transferring the 70Mb file, my CPU works ...
    (microsoft.public.dotnet.framework.webservices.enhancements)
  • RE: Error on SOAP Call on only one machine: Could not find default endpoint element that references
    ... "Service Reference" is a proxy class used for consuming WCF service. ... Though WCF client can also consume standard XML webservice, ... Microsoft MSDN Online Support Lead ...
    (microsoft.public.dotnet.languages.vb)