Re: Is WSE 3 and Kerberos useful for securing services at the method level?
- From: "Howard Hoffman" <HowardH@xxxxxxxxxxxxxxxx>
- Date: Tue, 9 Jan 2007 17:41:17 -0500
We've written a custom PolicyAssertion / SoapFilter pair of subclasses that
grab the SecurityToken out of SoapEnvelope.Context.Credentials, create a
RoleProviderPrincipal if necessary, check IsInRole membership against roles
configured for the SoapEnvelope.Context.Addressing.Action and ultimately
populate the Thread.CurrentPrincipal.
The SoapEnvelope SecurityTokens will be populated by the WSE pipeline, so
you're not just limited to Kerberos.
We've found it to be very useful, as we have lot's of different services on
the same ASMX.
HTH,
Howard Hoffman
"Pablo Cibraro [MVP]" <pcibraro@xxxxxxxxxxx> wrote in message
news:uq4s3ktGHHA.1468@xxxxxxxxxxxxxxxxxxxxxxx
Hi Eric,
Your supposition is correct at certain extent. You can use the Windows
Principal available in the kerberos token to check permissions at method
level.
Another solution is to extend the Kerberos assertion provided by WSE to
set the CurrentThread.Principal property with the principal available in
the kerberos token. Once, you do that, you can use PrincipalPermission to
set permissions at method level.
Regards,
Pablo Cibraro.
"Eric" <someone@xxxxxxxxxx> wrote in message
news:unLH6XiGHHA.3976@xxxxxxxxxxxxxxxxxxxxxxx
I am designing some services that I am thinking would be good to secure
using Kerberos as we have an intranet setup. It is pretty clear how you
secure a user at the service level, but I'm curious as to how one would
use Kerberos to secure at the method level. Say I have an AD group named
"MyApp" that allows a user to access the service. I'd also like to have
another group "MyAppAdmin" which gives a user access to more methods on
the service than the vanilla user would have.
I havent seen anything so far to suggest that the WSE helps you in my
scanario beyond providing you with the account name of the user so you
can use code to check for methods you want extra security on, whereas the
service level authentication is pretty much built in. Is that a correct
assesment?
Thanks,
Eric
.
- Prev by Date: Re: WSE 3.0 and 2.0 interoperability
- Next by Date: Propagating caller identity across applications from a bare ASMX Service method to a WSE3 Service method
- Previous by thread: Re: WSE 3.0 and 2.0 interoperability
- Next by thread: Propagating caller identity across applications from a bare ASMX Service method to a WSE3 Service method
- Index(es):
Relevant Pages
|
