Re: WS Security issues
- From: "Yedu" <Yedu@xxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Wed, 1 Jun 2005 10:20:04 -0700
UsernameToken is used for authentication and authorization. It represents
security credentials in the form of a user name and password.
The usernameToken can be sent in this way from the client code:
UsernameToken token = new UsernameToken(domainAndUserId, Password,
PasswordOption.SendPlainText);
proxy.RequestSoapContext.Security.Tokens.Add(token);
Since SSL is at the transport level and not at the message level, you will
not have to do anything in the code for it. Only thing i can think of is that
the URL in the proxy would change to 'https' instead of 'http'
"Henrik Skak Pedersen" wrote:
> Hi Yedu,
>
> Thank you very much for your reply.
>
> Would you use UsernameTokens for signing, encrypting and authentication?
> How can I send the current UsernameToken?
> How are you deploying "SSL settings"?
>
> Regards
>
> Henrik
>
> "Yedu" <Yedu@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
> news:C7E4560D-F7DF-43A1-9799-97BF2A2E48FC@xxxxxxxxxxxxxxxx
> > We have a similar setup that you described.
> > We are sending the Username/password in the userName token, the Webservice
> > server machine needs to be in the same domain as of the AD, if an invalid
> > username/password is sent and it cannot be authenticated it will throw a
> > SoapFault. The username/password is sent as plaintext in the
> > usernameToken.
> >
> > We are using SSL for making sure that the channel is secure.
> >
> > If you plan to implement the X.509 for encryption my guess is that it will
> > be drag on the performance.
> > "Henrik Skak Pedersen" wrote:
> >
> >> Hello,
> >>
> >> I am working on a product when we are shipping a web service and a
> >> windows
> >> client to several end-customers. The web service should be able to run
> >> either on the inside or on the outside of their firewall. The same CD are
> >> being sent to all customers, so it is not possible to modify anything
> >> from
> >> customer to customer. The software should run directly after
> >> installation,
> >> without obtaining certificates or anothing else.The clients are running
> >> on
> >> Windows 2000 server and client, Windows XP and Windows Server 2003.
> >>
> >> I have two demands:
> >>
> >> 1) All WS requests from the client needs to be authorized by AD. It
> >> should
> >> be possible to log in using the current credentials or by specifying an
> >> user
> >> name/password pair.
> >>
> >> 2) All WS requests from the client needs to be encrypted and signed
> >>
> >> I have looked into X509SecurityToken, KerberosToken and UsernameToken.
> >> But I
> >> just can't see how I solve this the the best way.
> >>
> >> If I use X.509 for signing and encryption, then I guess that I have to
> >> distribute the same certificate to all customers, which I guess not i a
> >> smart idea.
> >> I have read that the KerberosToken does not work for Windows 2000.
> >>
> >> Any recommendations?
> >>
> >> Regards
> >>
> >> Henrik Skak Pedersen
> >>
> >>
> >>
>
>
>
.
- Follow-Ups:
- Re: WS Security issues
- From: Henrik Skak Pedersen
- Re: WS Security issues
- References:
- WS Security issues
- From: Henrik Skak Pedersen
- RE: WS Security issues
- From: Yedu
- Re: WS Security issues
- From: Henrik Skak Pedersen
- WS Security issues
- Prev by Date: Re: WS Security issues
- Next by Date: Re: WS Security issues
- Previous by thread: Re: WS Security issues
- Next by thread: Re: WS Security issues
- Index(es):
Relevant Pages
|
