RE: Web Service Security
From: Fraser (Fraser_at_discussions.microsoft.com)
Date: 10/17/04
- Next message: Merav Orion via .NET 247: "problem Calling webservice from client side javascript"
- Previous message: zhumaolin: "Re: Add Web reference from a WSDL crashing the VS IDE"
- In reply to: Jason MacKenzie: "Web Service Security"
- Messages sorted by: [ date ] [ thread ]
Date: Sun, 17 Oct 2004 02:51:01 -0700
Jason,
there are a number of options open to you. You could encrypt or hash your
registry entries to keep prying eyes away, although of course this does raise
the question of where to store the encryption/hash key.
As far as web service authentication/authorisation is concerned you would be
well advised to look into using WSE2. This provides a full implementation of
the latest WS-Security specification and includes models which run on top of
basic windows/IIS security all the way through to digital certificates and
signatures. WSE does a pretty good job of abstracting away most of the
difficult bits, and certainly at the basic end where WSE 'hands off' to
windows it is very easy to implement (look at UsernameToken which resolves to
a windows domain account). If you want to maintain platform neutrality in
your web service ([nearly] always a good thing), then there are plenty of
non-windows specific methods available through WSE. Authorisation schemes are
also possible based on individual user credentials (asserted in the request
message as a UsernameToken, Cert or Kerberos token) or based on roles (again
windows specific or windows independant).
A good starting point to find out more about WSE are the hands on labs from
TechEd 2004. Also there is a specific user group for WSE which, as you might
expect, is crammed full of Q&A's from people wnating to do things similar to
your requirements :-
Good luck
Fraser.
"Jason MacKenzie" wrote:
> We have a webservice our windows apps call that reads the registry of the
> web server to get connection strings etc. This is all on our intranet behind
> a firewall.
>
> I should say, we have this all coded but have not deployed it due to some
> fairly obvious security concerns. While its a very low chance, we certainly
> don't want someone to stumble across this web service and get database names
> and passwords.
>
> Is there a way to prevent users from navigating to a web service through the
> browser? Or securing it with a username and password somehow might also be
> doable. I'm just not sure how that would work.
>
> Any suggestions are appreciated,
>
> Jason MacKenzie
>
>
>
>
- Next message: Merav Orion via .NET 247: "problem Calling webservice from client side javascript"
- Previous message: zhumaolin: "Re: Add Web reference from a WSDL crashing the VS IDE"
- In reply to: Jason MacKenzie: "Web Service Security"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
