Re: WSE 2.0 1000 Foot level Question Easy one

From: Sql Agentman (gusaawar_at_gmail.com)
Date: 12/01/04 

Date: 1 Dec 2004 06:58:01 -0800

Thank you for your reply,

If I understand you correctly:

I can use SSL between the WebSite and the WebService?
or
I can Use SecureConversation between the Website and the WebService

Now when one of my users authenticate with his/her/it account and
password
on a web Form ( using Form authentication )
I can keep that info in a session variable(s), but what is the best
practice?
Passing the user account and password to the web service so the web
service can authenticate/authorize their requests etc...

Do I generate a UserNameToken and keep it in the WebSite Session and
send it back and forth to the WebService??

I am looking for some guidance, documents, a book that can give me
some real life examples on how to go about doing that securely.

Thank you again for your help...

Gus

"Softwaremaker" <msdn@removethis.softwaremaker.net> wrote in message news:<#J0$Nv51EHA.2572@tk2msftngp13.phx.gbl>...
> "Sql Agentman" <gusaawar@gmail.com> wrote in message
> news:ba4dbad4.0411302142.3f9454db@posting.google.com...
> > I need to secure comunications between a website and a web service
> >
> > what possible ways of doing this?
> >
> > Possibilities
> >
> > 1- use a trust between the website and the web service
>
> [Softwaremaker] Do you mean SSL ? If it is just end-to-end security you
> desire with no intermediaries in between, you can consider SSL
>
> > 2- use usernameToken and authenticate per user every time for every
> method
> >
> > if I am to use a user account and password where do I keep them?
> > I can pass them encrypted. Do I keep them in session state
> > What if session is hijacked?
> >
>
> [Softwaremaker] You keep the useraccount and pwd as you would
> normally....either in Windows Accounts, AD, or a UserDB, etc. Web Services
> are stateless and there is no session per se. Every call would involve your
> web services to authenticate again. You can implement your own session
> container, if you choose to. You can also look at WS-SecureConversation
> which uses SecureContextTokens for quicker authentication. However, it is
> not really a standard yet. If you have control on both ends and they both
> use WSE, then it shld be fine.
>
> > thanks for any help, or reference to any documents that can guide me
> throught this.
> >
> > gus.

Relevant Pages

  • Re: WSE 2.0 1000 Foot level Question Easy one
    ... > I need to secure comunications between a website and a web service ... Do I keep them in session state ...
    (microsoft.public.dotnet.framework.webservices.enhancements)
  • RE: Web solution with Web Service does not start Web Service
    ... These 5 solutions consist of 3 website version and two web application ... Each solution has a web app and a web service. ... port specified in the web reference, and set the next statement to the one ...
    (microsoft.public.vsnet.ide)
  • Re: Cant add web reference
    ... To disable dynamic ports, highlight the website and in the property grid set "Use dynamic ports" to false. ... One trick to get the web site with the web service running is to set that web site as the active project and select Start without Debugging from the Debug menu. ...
    (microsoft.public.dotnet.distributed_apps)
  • Secure website (cookie/session)
    ... Secure a part of my website. ... access to server settings (session timeout, security,...). ... do not lose time re-submitting it because the use was redirect to the ...
    (microsoft.public.inetserver.iis.security)
  • Secure website (cookie/session)
    ... Secure a part of my website. ... access to server settings (session timeout, security,...). ... do not lose time re-submitting it because the use was redirect to the ...
    (microsoft.public.inetserver.iis.security)
Quantcast