Re: WS Security issues

From: "Henrik Skak Pedersen" <hsp@xxxxxxxxxxxxxxxxx>
Date: Wed, 1 Jun 2005 19:27:39 +0200

Ok, thanks again. I have just seen in some examples that you also can use
the UsernameToken to encrypt and sign your messages with. But I guess that
you only use it for authentication and then let SSL handle the rest?

Do you know how to send the current user credentials, so that the user don't
have to specify username/password?

Henrik.

"Yedu" <Yedu@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:F923199D-998F-4ACE-9AE4-D5A0A7BBB94B@xxxxxxxxxxxxxxxx
> UsernameToken is used for authentication and authorization. It represents
> security credentials in the form of a user name and password.
> The usernameToken can be sent in this way from the client code:
> UsernameToken token = new UsernameToken(domainAndUserId, Password,
> PasswordOption.SendPlainText);
> proxy.RequestSoapContext.Security.Tokens.Add(token);
>
> Since SSL is at the transport level and not at the message level, you will
> not have to do anything in the code for it. Only thing i can think of is
> that
> the URL in the proxy would change to 'https' instead of 'http'
>
>
>
> "Henrik Skak Pedersen" wrote:
>
>> Hi Yedu,
>>
>> Thank you very much for your reply.
>>
>> Would you use UsernameTokens for signing, encrypting and authentication?
>> How can I send the current UsernameToken?
>> How are you deploying "SSL settings"?
>>
>> Regards
>>
>> Henrik
>>
>> "Yedu" <Yedu@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
>> news:C7E4560D-F7DF-43A1-9799-97BF2A2E48FC@xxxxxxxxxxxxxxxx
>> > We have a similar setup that you described.
>> > We are sending the Username/password in the userName token, the
>> > Webservice
>> > server machine needs to be in the same domain as of the AD, if an
>> > invalid
>> > username/password is sent and it cannot be authenticated it will throw
>> > a
>> > SoapFault. The username/password is sent as plaintext in the
>> > usernameToken.
>> >
>> > We are using SSL for making sure that the channel is secure.
>> >
>> > If you plan to implement the X.509 for encryption my guess is that it
>> > will
>> > be drag on the performance.
>> > "Henrik Skak Pedersen" wrote:
>> >
>> >> Hello,
>> >>
>> >> I am working on a product when we are shipping a web service and a
>> >> windows
>> >> client to several end-customers. The web service should be able to run
>> >> either on the inside or on the outside of their firewall. The same CD
>> >> are
>> >> being sent to all customers, so it is not possible to modify anything
>> >> from
>> >> customer to customer. The software should run directly after
>> >> installation,
>> >> without obtaining certificates or anothing else.The clients are
>> >> running
>> >> on
>> >> Windows 2000 server and client, Windows XP and Windows Server 2003.
>> >>
>> >> I have two demands:
>> >>
>> >> 1) All WS requests from the client needs to be authorized by AD. It
>> >> should
>> >> be possible to log in using the current credentials or by specifying
>> >> an
>> >> user
>> >> name/password pair.
>> >>
>> >> 2) All WS requests from the client needs to be encrypted and signed
>> >>
>> >> I have looked into X509SecurityToken, KerberosToken and UsernameToken.
>> >> But I
>> >> just can't see how I solve this the the best way.
>> >>
>> >> If I use X.509 for signing and encryption, then I guess that I have to
>> >> distribute the same certificate to all customers, which I guess not i
>> >> a
>> >> smart idea.
>> >> I have read that the KerberosToken does not work for Windows 2000.
>> >>
>> >> Any recommendations?
>> >>
>> >> Regards
>> >>
>> >> Henrik Skak Pedersen
>> >>
>> >>
>> >>
>>
>>
>>

.

Follow-Ups:
- Re: WS Security issues
  - From: Dilip Krishnan

References:
- WS Security issues
  - From: Henrik Skak Pedersen
- RE: WS Security issues
  - From: Yedu
- Re: WS Security issues
  - From: Henrik Skak Pedersen
- Re: WS Security issues
  - From: Yedu

Prev by Date: Re: WS Security issues
Next by Date: Re: WS Security issues
Previous by thread: Re: WS Security issues
Next by thread: Re: WS Security issues
Index(es):
- Date
- Thread

Relevant Pages

Re: Encrypt/Decrypt Username Password using Public Key
... Why do you want to encrypt? ... WSE has all the mechanics for creating tokens based on username/password - and if you run over SSL that's totally fine. ...
(microsoft.public.dotnet.security)
Re: SSL & Certificates or Windows Auth
... Is you are using something like "Basic Authentication" to authenticated ... against the Windows User database, then it is strongly recommended that you ... as the username/password are essentially passed as clear-text. ... So SSL doesn't help you as much here. ...
(microsoft.public.inetserver.iis.security)
Re: Encrypt/Decrypt Username Password using Public Key
... Our requirements are that we have to encrypt the user name and the ... WSE has all the mechanics for creating tokens based on username/password ... - and if you run over SSL that's totally fine. ...
(microsoft.public.dotnet.security)
Re: Secure Password Authentication IMAP?
... On your IMAP Virtual Server properties, go to the Access Tab, then ... authentication encrypted, but not the messages. ... > encrypt the username/password. ...
(microsoft.public.exchange.setup)
Re: Secure Password Authentication IMAP?
... On your IMAP Virtual Server properties, go to the Access Tab, then ... authentication encrypted, but not the messages. ... > encrypt the username/password. ...
(microsoft.public.exchange.admin)