Re: WSE 2.0, smart client, Username authentication, no x.509
- From: "William Stacey [MVP]" <staceyw@xxxxxxxx>
- Date: Thu, 28 Jul 2005 09:18:30 -0400
Thanks Cormac :-) I was thinking the same thing. Also the updated GetSCT
algo is at:
http://spaces.msn.com/members/staceyw/Blog/cns!1pnsZpX0fPvDxLKC6rAAhLsQ!303.entry
I also prefer SCTs over UserTokens for authentication, so this seems like it
may be the right direction for your needs. Cheers.
--
William Stacey [MVP]
"Cormac" <Cormac@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:0D911171-52C8-4A54-93A7-549C28AEBB74@xxxxxxxxxxxxxxxx
> Hi Anna
>
> William Stacey has a excellent solution that works exactly the same as
> X509
> certificates but uses strong name signing of your assembilies to product
> the
> public and private keys his blog is at
>
> http://spaces.msn.com/members/staceyw/Blog/cns!1pnsZpX0fPvDxLKC6rAAhLsQ!268.entry
>
> I dont know if WSE 2.0 SP 3 allows this I think it is only with the new
> WSE
> 3.0 technical release but it allows you to host your web services outside
> of
> a web server. WSE 3.0 like WSE 2.0 SP 3 support other protocols apart from
> HTTP, they include TCP, SMTP. Therefore you would not need IIS to host the
> web services WSE 3.0 hosts them without a web server for you (read the WSE
> 3.0 documentation).
>
> To perform authentication, because your database does not contain user
> tables William Staceys Security Context Token Service (SCTS) implements a
> class that uses windows authentication to check the User/Groups on the
> server
> to ensure there is a valid user. Therefore you dont even need a database
> but
> could use the windows authentication, there's also nothing stopping you
> doing
> something as simple as storing user details in an Xml file and parsing it
> for
> the information.
>
> Again to your point 6, the implementation William Stacey has uses Security
> Context Tokens therefore a secure conversation occurs between the client
> and
> web service(s).
>
> Hope this helps
>
> Cormac
>
> "Anna" wrote:
>
>> I've got a smart client app (C#) - client + web service. At present I am
>> to
>> add security features to the app using WSE 2.0. Security is a very new
>> area
>> for me and after 3 days of reading I'm overloaded with the info :-(((. I
>> went through the Hands-on Lab (great, was really helpful) but the problem
>> is
>> that our scenario doesn't conform to any others found on the web.
>>
>> 1. My application is going to be installed in either of the following
>> ways:
>> - Both client-side app and web service installed on a machine (WinXP)
>> that
>> runs SQL server with our database on it. My webservice talks to this DB.
>> - The client app is installed on a machine (WinXP) that talks to a
>> remote
>> server (Win2000/2003) (with the same database) where my web service is
>> installed as well.
>>
>> 2. Our server *is not* a Web Server. (This is going to be the case only
>> in
>> the future).
>>
>> 3. I don't want to use certificates at present. As far as I understood
>> they
>> are the most secure but also the most difficult to deploy.
>>
>> 4. The existing database does not contain any table with usernames, how I
>> am
>> supposed to perform authentication? The default (plainText password with
>> WSE
>> performing automatic authentication) only works for the local machine (my
>> understanding). What happens if my web service is on the remote server?
>>
>> 5. I also need authorization (users from a certain group only can use the
>> service) as part of the security procedure. Again, I can verify this on
>> the
>> local machine, how does the remote server do it?
>>
>> 6. From what I read and understood I'd like to use some sort of
>> authentication (Username or custom probably), authorization, signatures
>> and
>> encryption.
>>
>> 7. I would prefer to use policy files. As we are probably going to change
>> the policy in the future, to do it with the policy files would be easier.
>> But
>> how to use them with my scenario?
>>
>> Your help will be *highly* appreciated. As I am very new to the security
>> subject, simple and straitforward instructions and tips will be
>> preferable.
>>
>> Anna
>>
>>
.
- References:
- Prev by Date: RE: WSE 2.0, smart client, Username authentication, no x.509
- Next by Date: WSE2 Diagnostics - Tracing problem
- Previous by thread: RE: WSE 2.0, smart client, Username authentication, no x.509
- Next by thread: UsernameTokenManager Question
- Index(es):
Relevant Pages
|
