Re: establishing a security context using usernameForCertificateSecurity

Yes, it could be ok as long as you secure that password (Using DPAPI for
example).
Anyway, you are still performing authentication by means of password
comparison. (I prefer to use the windows authentication since I do not need
to keep the user password).

Regards,
Pablo Cibraro.

"gbier" <george.bier@xxxxxxxxx> wrote in message
news:1155141978.702137.32420@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Thanks Pablo,

Your truly are "the man" when it comes to WSE!

If the MS patterns and practices book spelled out this rather big
difference between the two username choices (certficate versus over
transport) then I must have missed it. So thanks again.

You are absolutely right about the issue that I can't tell if it is the
same client if I cache the authorization in the custom token manager.
Thank you for pointing that out. I did not think of that.

Let me run the following by you, just to see if you can poke any holes
in it. I believe that the web services client/server protocal we are
using does not have any state, so secure conversation was just to avoid
the overhead of validating the user on every call, not to save state.

More specifically, the protocal we use is something along the lines of

Client calls Web method returns
--------------- -----------------------------
GetRecordsAvailable record id: 118, 139, 143.

GetRecord(118) record 118

GetRecord(139) record 139

GetRecord(143) record 143

This is greatly simplified, in reality there might be 100's or 1000's
of records, and GetRecord can request more then 1 record at a time.

The client is allowed to request the same record as often as it likes,
and if it requests a record that does not exist, it will get back an
error.

Do you see any problem if the Custom Token Manage saves the User
Id/Password in the HTTPCache for something on the order of 5 minutes?

thanks,
--george



.

Relevant Pages

  • Re: WSE 3.0 + UserNameToken without X.509 Cert/Kerberos + Signing + Encryption How?
    ... I still think that there is a lot of benefit for Secure Conversation ... message security and thefore it does not encrypt the message. ... between client and server using a UserNameToken that passes the UserName ... assuming the client request adds a proper UserNameToken... ...
    (microsoft.public.dotnet.framework.webservices.enhancements)
  • Re: Secure file transfers
    ... A customer will call in with a issue and I'll request they send me log ... as most users do not have pgp or a secure ftp client (mostly windows ... I believe one can set up a Apache server with SSL to PHP and have the ...
    (freebsd-questions)
  • Re: How to have clients request a certificate in AD-mode which are not automatically issued?
    ... present on the "Secure communications" pop up)? ... Is the client bound to give is user/password to log on the ... Personaly I've tested the mapping of cert with s stand-alone CA (as I'm not ... Could you explain briefly how do you accept the cert request made on ...
    (microsoft.public.inetserver.iis.security)
  • Re: How to redirect headers in Perl?
    ... > b) The perl program on server 1 is going to request a secure page from ... > f) Server 1 will simply forward the content of the page to client. ... > g) Client see the page on the secure server without login. ...
    (comp.lang.perl.misc)
  • Re: Wireless Pen Test
    ... Yes there are many tools that look just for the 802.11 frames but what ... is just brute forcing the hashed output to recover the key. ... Also if your telling a client that using WPApsk is secure then you ...
    (Pen-Test)
Loading