RE: WSE 2.0, smart client, Username authentication, no x.509
- From: Cormac <Cormac@xxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Thu, 28 Jul 2005 06:09:04 -0700
Hi Anna
William Stacey has a excellent solution that works exactly the same as X509
certificates but uses strong name signing of your assembilies to product the
public and private keys his blog is at
http://spaces.msn.com/members/staceyw/Blog/cns!1pnsZpX0fPvDxLKC6rAAhLsQ!268.entry
I dont know if WSE 2.0 SP 3 allows this I think it is only with the new WSE
3.0 technical release but it allows you to host your web services outside of
a web server. WSE 3.0 like WSE 2.0 SP 3 support other protocols apart from
HTTP, they include TCP, SMTP. Therefore you would not need IIS to host the
web services WSE 3.0 hosts them without a web server for you (read the WSE
3.0 documentation).
To perform authentication, because your database does not contain user
tables William Staceys Security Context Token Service (SCTS) implements a
class that uses windows authentication to check the User/Groups on the server
to ensure there is a valid user. Therefore you dont even need a database but
could use the windows authentication, there's also nothing stopping you doing
something as simple as storing user details in an Xml file and parsing it for
the information.
Again to your point 6, the implementation William Stacey has uses Security
Context Tokens therefore a secure conversation occurs between the client and
web service(s).
Hope this helps
Cormac
"Anna" wrote:
> I've got a smart client app (C#) - client + web service. At present I am to
> add security features to the app using WSE 2.0. Security is a very new area
> for me and after 3 days of reading I'm overloaded with the info :-(((. I
> went through the Hands-on Lab (great, was really helpful) but the problem is
> that our scenario doesn't conform to any others found on the web.
>
> 1. My application is going to be installed in either of the following ways:
> - Both client-side app and web service installed on a machine (WinXP) that
> runs SQL server with our database on it. My webservice talks to this DB.
> - The client app is installed on a machine (WinXP) that talks to a remote
> server (Win2000/2003) (with the same database) where my web service is
> installed as well.
>
> 2. Our server *is not* a Web Server. (This is going to be the case only in
> the future).
>
> 3. I don't want to use certificates at present. As far as I understood they
> are the most secure but also the most difficult to deploy.
>
> 4. The existing database does not contain any table with usernames, how I am
> supposed to perform authentication? The default (plainText password with WSE
> performing automatic authentication) only works for the local machine (my
> understanding). What happens if my web service is on the remote server?
>
> 5. I also need authorization (users from a certain group only can use the
> service) as part of the security procedure. Again, I can verify this on the
> local machine, how does the remote server do it?
>
> 6. From what I read and understood I'd like to use some sort of
> authentication (Username or custom probably), authorization, signatures and
> encryption.
>
> 7. I would prefer to use policy files. As we are probably going to change
> the policy in the future, to do it with the policy files would be easier. But
> how to use them with my scenario?
>
> Your help will be *highly* appreciated. As I am very new to the security
> subject, simple and straitforward instructions and tips will be preferable.
>
> Anna
>
>
.
- Follow-Ups:
- Re: WSE 2.0, smart client, Username authentication, no x.509
- From: William Stacey [MVP]
- Re: WSE 2.0, smart client, Username authentication, no x.509
- References:
- Prev by Date: UsernameTokenManager Question
- Next by Date: Re: WSE 2.0, smart client, Username authentication, no x.509
- Previous by thread: WSE 2.0, smart client, Username authentication, no x.509
- Next by thread: Re: WSE 2.0, smart client, Username authentication, no x.509
- Index(es):
Relevant Pages
|
|
