Authorization during WS-SecureConversation secured calls

From: Tim Tyhurst (timNoSpam_at_NoSpamdogmead.com)
Date: 12/15/04

Next message: SA: "Re: HttpModule not able to access SoapEnvelope"
Previous message: Pierre Greborio: "Re: HttpModule not able to access SoapEnvelope"
Next in thread: Martin Kulov: "Re: Authorization during WS-SecureConversation secured calls"
Reply: Martin Kulov: "Re: Authorization during WS-SecureConversation secured calls"
Messages sorted by: [ date ] [ thread ]

Date: Wed, 15 Dec 2004 09:25:01 -0800

What are the options/best practices for authorizing individual Web Service
methods that are being made under the protection of WS-SecureConversation?

The pattern I have in mind is:

1) The web service client is initially authenticated using a custom
username/password (stored in a backend database) while the
WS-SecureConversation machinery is being set up. (No problems in this part).

2) Subsequent web service calls made by the client are now secured and
authenticated, but how can authorization checks be performed on them at call
time, since different web service calls may have different privilege
requirements?

In particular, I can't see how to obtain a Principal/Identity from the
DerivedKeyToken that is being used to encrypt the subsequent web service
requests.

This seems like it should be a fairly common usage pattern, but everything
I've read so far appears to discuss WS-SecureConversation and authorization
separately, and I can't seem to get my head around how these should be made
to work together.

Should I be exploring:

i) A solution based on custom security tokens? Binary or XML?
ii) Adding some sort of custom SOAP header?
iii) Some sort of session state based solution?
iv) Something else altogether?

I'm still holding out hope that this problem is straightforward and I've
just managed to miss some key point... Regardless, any insights much
appreciated!

tim

Next message: SA: "Re: HttpModule not able to access SoapEnvelope"
Previous message: Pierre Greborio: "Re: HttpModule not able to access SoapEnvelope"
Next in thread: Martin Kulov: "Re: Authorization during WS-SecureConversation secured calls"
Reply: Martin Kulov: "Re: Authorization during WS-SecureConversation secured calls"
Messages sorted by: [ date ] [ thread ]

Relevant Pages

Re: Active Directory authorization
... AD should be fine as a source for authentication for your web service. ... The easiest way to use AD for authentication is to just use the transport layer authentication schemes built in to IIS. ... For app level authorization, I'd suggest checking out Microsoft's Authorization Manager framework. ... every applications. ...
(microsoft.public.windows.server.active_directory)
Re: Application pool security
... calls a web service which is also setup to run under the same ... application pool identity (a valid domain account) with Windows ... authentication (anonymous user turned off in IIS). ... At the moment my authorization ...
(microsoft.public.dotnet.framework.aspnet.security)
Re: WebService Windows Authentication ASP.NET 2.0
... and if it is granular enough to set the authorization on file basis - use a location element for individual AuthZ settings for the .asmx files. ... I'm not a big fan of using the PrincipalPermission as it generally ... The web service is only ...
(microsoft.public.dotnet.security)
Running Webservice under aspnet entity....
... One web service I use does ... that 'aspnet' entity lacks the authority to connect. ... from work PC- it goes with 'aspnet' id and fails MQ authorization. ... settings I have in IIS under default web site - properties - Directory ...
(microsoft.public.dotnet.framework.aspnet.webservices)
asp.net impersonation
... When a Web Service is configured to use windows authentication with no ... When I turn on impersonation and add authorization for user domain ...
(microsoft.public.dotnet.framework.aspnet.security)