Home | Contact Us | FAQ | Search & Site Map | Link to Us
Sign In | Join | Other 45 Sites in Network
HomeAnnouncementsFree MagazinesWhite PapersSubmit Content
Discussion GroupsASP.NETWindows FormsLanguages.NET FrameworkVisual Studio.NET
Articles.NET FrameworkASP.NETToolsWindows Forms
.NET DirectoryOpen Source ProjectsUser GroupsWeb Resources
Related Topics
Visual Basic 6SQL ServerMS AccessOther DB ProductsMS Server ProductsMore Topics ...
.NET Forum / ASP.NET / Web Services / October 2005

Tip: Looking for answers? Try searching our database.

SSL for very simple security need in web service app

Thread view: 
Enable EMail Alerts  Start New Thread
Thread rating: 
news.microsoft.com - 18 Oct 2005 00:18 GMT
I'm looking for a nudge in the right direction.

We have an order processing system that currently has a simple ASP.NET web
interface. Various clients who want to place orders already have a userID
and password specified within our application (i.e., not Windows
authentication) that they must supply in order to logon to their 'account'
and submit orders for themselves. They communicate from a browser over the
public internet. The browsers/server utilize SSL for encrypting the web
traffic.

We'd now like to implement this functionality as a web service to interact
with some desktop applications that can generate orders. We'd like to have
the remote app simply transfer the data, presumably in an XML format that we
already have defined, over the public internet, providing their userID and
password.

My question is: if we just add the userID and password in the XML
schema/data, is the SSL layer sufficient to ensure that anyone who might
intercept the traffic en route would not be able to determine the UserID and
password? Once we have the XML data in our app, it would be a trivial matter
to determine if the data is coming from a source that had a legitimate,
active UserID and a valid password. And that's pretty much all we'd need.

I read about WSE, WS-Security, etc. and it all seems like so much overkill
for my needs -- but I can't locate a single, simple scenario that looks like
what I have in mind here.

Any direction would be greatly appreciated!

Rob Schripsema
DeWaard and Jones Company
Bellingham, WA
Reply to this Message
news.microsoft.com - 18 Oct 2005 00:21 GMT
My apologies....

That last note went out with a user name of "news.microsoft.com". Apparently
my news reader was misconfigured. It was really from me.

Rob Schripsema
DeWaard and Jones

> I'm looking for a nudge in the right direction.
>
[quoted text clipped - 29 lines]
> DeWaard and Jones Company
> Bellingham, WA
Reply to this Message
CESAR DE LA TORRE [MVP] - 18 Oct 2005 08:52 GMT
If you have a simple scenario, and just end-to-end communication (you do not
have several end-points or middle end-points, and I mean Web-Services Servers
end-points),  then, SSL might be enough for you.
About WSE 3.0 and WCF in the future (Windows Communication Foundatio, code
name as Indigo), when talking about security, it offers security at message
level instead of security at transport protocol level (like SSL). It is
better for complex scenarios, middle points WebServices where you don't want
to trust at transport level, so, you can encrypt and signg at message level.
With theses new technologies you also have new standars for complex
communications like WS-SecureConversation, etc.

So, if you have a very simple scenario, SSL might be OK. And of course, it
is secure enough (if you want more security with SSL, use a 128bit Server
Certificate, do not use a 64bit Server Cert.).
Signature

CESAR DE LA TORRE
Software Architect
[Microsoft MVP - XML Web Services]
[MCSE] [MCT]

Renacimiento
[Microsoft GOLD Certified Partner]  

> My apologies....
>
[quoted text clipped - 37 lines]
> > DeWaard and Jones Company
> > Bellingham, WA
Reply to this Message
Rob Schripsema - 18 Oct 2005 18:28 GMT
Cesar,

Thanks for the info. There is only a single end point here, a web service
app that simply takes order info, validates it and applies it to a database.
The clients are a variety of apps that will want to send a simple XML
formatted data stream as a single chunk over https: to the web service
address, and then process a simple reply. This is a small business taking
orders from other small businesses.

I would think this is a common need in the industry -- not at the enterprise
level, perhaps, but for the millions of small businesses out there that I
deal with, this is a common scenario. All of the talk about WSE, WCF and so
on tends to cloud the basic issues for the simple scenarios.

Thanks again for your help.

Rob Schripsema
DeWaard and Jones Company

> If you have a simple scenario, and just end-to-end communication (you do
> not
[quoted text clipped - 71 lines]
>> > DeWaard and Jones Company
>> > Bellingham, WA
Reply to this Message

Free Magazines

Get these publications absolutely FREE for up to 12 months. There are no hidden fees and no obligation. Simply choose a title, complete the application form and submit it. Read more ...

Oracle MagazineNetwork ComputingComputer WorldBio-IT WorldeWeekInformation WeekInfosecurity
 
Sign In
Join
My Latest Posts
My Monitored Threads
My Blog
My Photo Gallery
My Profile
My Homepage
Start New Thread
Enable EMail Alerts
Rate this Thread



©2008 Advenet LLC   Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.