Re: WS Security issues
- From: Dilip Krishnan <"dilip.krishnan AT apdiya DOT com">
- Date: Wed, 01 Jun 2005 14:50:51 -0500
If you're looking for a 'sticky/chatty' webservice. You should consider using SCTs(Secure context tokens) they allow you to be authenticated once and the service issues a token that can be used for subsequent requests.
Henrik Skak Pedersen wrote:
Ok, thanks again. I have just seen in some examples that you also can use the UsernameToken to encrypt and sign your messages with. But I guess that you only use it for authentication and then let SSL handle the rest?
Do you know how to send the current user credentials, so that the user don't have to specify username/password?
Henrik.
"Yedu" <Yedu@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message news:F923199D-998F-4ACE-9AE4-D5A0A7BBB94B@xxxxxxxxxxxxxxxx
UsernameToken is used for authentication and authorization. It represents security credentials in the form of a user name and password. The usernameToken can be sent in this way from the client code: UsernameToken token = new UsernameToken(domainAndUserId, Password, PasswordOption.SendPlainText); proxy.RequestSoapContext.Security.Tokens.Add(token);
Since SSL is at the transport level and not at the message level, you will
not have to do anything in the code for it. Only thing i can think of is that
the URL in the proxy would change to 'https' instead of 'http'
"Henrik Skak Pedersen" wrote:
Hi Yedu,
Thank you very much for your reply.
Would you use UsernameTokens for signing, encrypting and authentication? How can I send the current UsernameToken? How are you deploying "SSL settings"?
Regards
Henrik
"Yedu" <Yedu@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message news:C7E4560D-F7DF-43A1-9799-97BF2A2E48FC@xxxxxxxxxxxxxxxx
We have a similar setup that you described.
We are sending the Username/password in the userName token, the Webservice
server machine needs to be in the same domain as of the AD, if an invalid
username/password is sent and it cannot be authenticated it will throw a
SoapFault. The username/password is sent as plaintext in the
usernameToken.
We are using SSL for making sure that the channel is secure.
If you plan to implement the X.509 for encryption my guess is that it will
be drag on the performance.
"Henrik Skak Pedersen" wrote:
Hello,
I am working on a product when we are shipping a web service and a
windows
client to several end-customers. The web service should be able to run
either on the inside or on the outside of their firewall. The same CD are
being sent to all customers, so it is not possible to modify anything
from
customer to customer. The software should run directly after
installation,
without obtaining certificates or anothing else.The clients are running
on
Windows 2000 server and client, Windows XP and Windows Server 2003.
I have two demands:
1) All WS requests from the client needs to be authorized by AD. It
should
be possible to log in using the current credentials or by specifying an
user
name/password pair.
2) All WS requests from the client needs to be encrypted and signed
I have looked into X509SecurityToken, KerberosToken and UsernameToken. But I just can't see how I solve this the the best way.
If I use X.509 for signing and encryption, then I guess that I have to
distribute the same certificate to all customers, which I guess not i a
smart idea.
I have read that the KerberosToken does not work for Windows 2000.
Any recommendations?
Regards
Henrik Skak Pedersen
-- HTH Regards, Dilip Krishnan MCAD, MCSD.net dilip.krishnan AT apdiya DOT com .
- References:
- WS Security issues
- From: Henrik Skak Pedersen
- RE: WS Security issues
- From: Yedu
- Re: WS Security issues
- From: Henrik Skak Pedersen
- Re: WS Security issues
- From: Yedu
- Re: WS Security issues
- From: Henrik Skak Pedersen
- WS Security issues
- Prev by Date: Re: WS Security issues
- Next by Date: Re: WS Security issues
- Previous by thread: Re: WS Security issues
- Next by thread: Re: WS Security issues
- Index(es):
Relevant Pages
|
