 |
 | Home | Contact Us | FAQ | Search & Site Map | Link to Us |
 | Sign In | Join | Other 45 Sites in Network |
.NET Forum / ASP.NET / Web Services / March 2007Authentication in WSE
A client of mine is using WSE2 for authenticating rich clients over a webservice, and for message signing. (They're using SSL for encryption and server verification.) They're using UsernameToken for passing credentials, with PasswordOptions.SendNone, and of course a custom UsernameTokenManager for supplying the authenticating password for verifying the message's digital signature. What I am trying to find, with little success, is a standard way to apply the usual best practices for secure authentication, specifically regarding failed logins. Typically, I have my clients (according to well established best practices) log failed authentication attempts to the audit system; temporarily block a user's account after a certain number of consecutive failed authentication attempts; and additional actions as a result of the logon process, including logging succesful logons, logouts, etc. Though I am relatively new to WSE, my understanding is that the custom code can only supply the expected credentials to WSE for internal verification by itself, but the custom code cannot get involved in the credential verification process; rather, WSE will either allow the service to be called, or will throw an Exception, if the credentials do not match (rather the digital signature created by credentials does not match the one included in the message). How can custom code handle failed authentication events? By extension, how do we prevent WSE from returning an information-rich Exception (i.e. password is not correct, but you guessed a valid username) to the (potentially malicious) client app? I have come up with several possible alternatives, none of which seem great - or even logical, since I would expect WSE to have builtin support for functionality such as this. Anyway, what I have come up with so far: 1. Catching the OnLogonUserFailed event - this seems to not be relevant, since we're using custom authentication with UsernameTokenManager.AuthenticateToken being overridden (from the documentation it seems that this only works with the default implementation of UsernameTokenManager authenticating against a Windows user account); 2. Overriding the UsernameTokenManager.VerifyToken method - this too seems to be not relevant, since the default implementation of VerifyToken is required - or can I explicitly perform the validation some other way? Also, calling base.VerifyToken in the override wouldn't help much, since we still would have no way of knowing whether the user was verified or not... unless we just wrap the call to base in a try/catch block, and handle it thru the exception...? 3. Catching a webwide SecurityFault Exception, in global.asax - this is obviously the least appropriate method, though it does seem to be the only one assured to work... I prefer avoiding this. So - any ideas/thoughts/relevant meanderings? Which is best? Am I wrong on something here, or is there another way? Thanks,  SignatureAvi Douglen Application Security Consultant Hi Avi, In my opinion, the option #2 is the best. Why don't you publish the exceptions using the "Exception Handling" application block shipped in the Enterprise Library. This app block give you the flexibility to publish the original exception to a secure store (like the eventlog), and prevent that exception from returning to the client. Regards, Pablo Cibraro. www.lagash.com >A client of mine is using WSE2 for authenticating rich clients over a > webservice, and for message signing. (They're using SSL for encryption and [quoted text clipped - 62 lines] > > Thanks, Hi Pablo, Thanks for your answer, however that doesn't help me too much, because I can't control the Exception publishing mechanism, it's controlled by WSE itself; besides, the exception was not my main issue. As for option #2, do you know how I can override the UsernameTokenManager.VerifyToken method, whilst explicitly performing the validation, or allowing WSE to perform the validation and let my code know the result? Thanks, SignatureAvi Douglen Application Security Consultant > Hi Avi, > In my opinion, the option #2 is the best. [quoted text clipped - 74 lines] > > > > Thanks, I might even look at different method. I prefer SCTs over UTs anyway, so use a SecurityContextToken instead. You control the creation of the SCT on the server side and can use LogonUser api or custom DB login if you wish. Then you can log to anything you want (i.e. DB, EventLog, etc) on the server side. You can also return any error you want in the SCT reply or just throw exception and let WSE handle it back. If using WSE, you probably need to turn on Full Errors in the policy file otherwise you only get the Server not available error. Not real sure how this will propagate back, so you have to test and see. If you propagate the error yourself in the SCT reply message, then you can code it anyway you like and have full control and understanding. IMO, SCTs are more secure anyway and you also have the option to use DerivedKeyTokens from the base SCT for even more security in the conversation. I have a sample of doing this very thing at: http://spaces.msn.com/members/staceyw/Blog/cns!1pnsZpX0fPvDxLKC6rAAhLsQ!303.entry Not this works with fw 1.1. I have a FX2.0 sample working, but need to clean it up a bit and will post. Possibly another option would be to encrypt the password with the server's public key (embedded in your code or other), convert to base64, and send as Send.PlainText in the UT. Using rsa PKI, the text will not be a simple pw equivalent and WSE will handle replay attacks (so I think is pretty good unless I missed something). Then you can decrypt pw (using server's rsa private key) in your custom UTM and verify with LoginUser api and log as needed. Return the same text pw in the method on logon success or exception or null otherwise. SignatureWilliam Stacey [MVP] >A client of mine is using WSE2 for authenticating rich clients over a > webservice, and for message signing. (They're using SSL for encryption and [quoted text clipped - 62 lines] > > Thanks, Hi William, Thanks for your reply. While SCT's do look interesting (as I understand, I can have complete control of the logon validation process? If so, does it not require substantial more code?), using Username tokens are actually a clients requirement, not a recommendation of ours. I will recommend they change the implementation, possibly to SCT, I find it unlikely that they will accept this recomendation, at least right now. I do need to help them find an immediate solution; I also do not want them sending the pw over the wire. So, considering the constraints, what can we do? Catch the event, or override the method? Do either of them work? And do I understand correctly, WSE does not have builtin support for these best practices? SignatureAvi Douglen Application Security Consultant > I might even look at different method. I prefer SCTs over UTs anyway, so > use a SecurityContextToken instead. You control the creation of the SCT on [quoted text clipped - 90 lines] > > > > Thanks, After reading your first post again, I noticed you/they are using SSL. Because the channel is already encrypted, you could just use SendPlainText and override the UTM and verify text pw yourself using LogonUser API (like the base does.) Now you can just test the bool return of LogonUser to do your logging. Everything is as secure as SSL can be. What is the reason they are using SendNone? I assume they are using a username/pw DB? SignatureWilliam Stacey [MVP] > Hi William, > Thanks for your reply. While SCT's do look interesting (as I understand, I [quoted text clipped - 132 lines] >> > >> > Thanks, Yes, they are indeed using a username/pwd DB (and therefore LogonUserAPI is not relevant, but I understand your intent). True, SSL does encrypt the entire channel; but please explain this to me: if they were to send the pwd, and perform the validation and authentication themselves, what do they actually profit from using WSE in the first place? In my understanding, if we are using SSL for encryption, and custom code for authentication, WSE loses its effect (and becomes practically pointless)? And no, we do not need to propogate the users identity thru several tiers, in our scenario its a just a smart client (winforms) accesing the WebService directly; Am I correct in understanding that WSE is extraneous here? Since you asked, the reason they are using WSE as they are (no encryption, UT, SendNone) goes like this: originally they wanted to use WSE all the way, including encryption; my associate recommended against that (because of the potential offline attacks), and using SSL for encryption. UT's is just the simplest, and I insisted on using SendNone (based on the current constraints), as that is the biggest advantadge of WSE in the first place (as I see it, under the current constraints). Considering everything (especially the architecture), we would have like to recommend against using WSE at all (in this specific scenario). However, the client seemed excited about the technology (it IS pretty cool), and REALLY wanted to use it.... I guess we're all familiar with these situations.... Anyway, was it a mistake to base the authentication (and message integrity) on WSE, in this case? Are our recommendations misdirected? Thanks. SignatureAvi Douglen Application Security Consultant > After reading your first post again, I noticed you/they are using SSL. > Because the channel is already encrypted, you could just use SendPlainText [quoted text clipped - 139 lines] > >> > > >> > Thanks, > Yes, they are indeed using a username/pwd DB (and therefore LogonUserAPI > is [quoted text clipped - 7 lines] > loses > its effect (and becomes practically pointless)? Well even after authentication (how ever you do it), you still need some kind of message passing/RPC protocol to call your server methods. So once you have the secure channel, you need web services or WSE (or your own custom socket protocol) to send requests/replies. WSE has this for you so I would not say it pointless, but far from it. It becomes your client and server side framework from which you will build your app. If your using certs already, you can authenticate using WSEs SCT (similar to SSL in that it uses certs and public key for security) and then encrypt only what you really need to encrypt using the SCT (and/or Derived SCT) token. If you want to stay with complete SSL encrypted channel for entire session, then get the SSL session and use WSE for your request/reply framework (no expert there however as have not done that.) Even if using SendNone, you still need to return the plain password in your UTM so that WSE can verify the signature. So your not eliminating an authentication step by using SendNone. > And no, we do not need to > propogate the users identity thru several tiers, in our scenario its a > just a > smart client (winforms) accesing the WebService directly; Am I correct in > understanding that WSE is extraneous here? If you just want to use SSL and ASMX, then probably true. If you need the extra features and flexibility of WSE, then no. This would be a primary design choice. If you want WSE, I would probably go with SCTs and stay completely in WSE. > Since you asked, the reason they are using WSE as they are (no encryption, > UT, SendNone) goes like this: originally they wanted to use WSE all the > way, > including encryption; my associate recommended against that (because of > the > potential offline attacks), and using SSL for encryption. It is true that with UTs you can do dictionary attacks on the message signature, however that is not true if using SCTs. Once you have SCT token, then you use like any other token (i.e. UT) so you don't really pay any complexity price after authentication. > UT's is just the > simplest, and I insisted on using SendNone (based on the current [quoted text clipped - 11 lines] > integrity) > on WSE, in this case? Are our recommendations misdirected? I would not say it is misdirected. I also really like WSE. Concidering your options, it seems like WSE using SCTs is probably your best (and most secure) fit. You also have the option of using HTTP or direct TCP in the future. You also have the option of using your cert for SCT authentication or even not use a cert, but only RSA public key (i.e. SN public key in client assembly) on client side to gen/authenticate a SCT using my method posted before. If you want to keep SSL and use WSE under it, then using UTs and SendPlainText is a slightly simplier approach and gives you a direct way to do your logging in the UTM. HTH SignatureWilliam Stacey [MVP] William, Thanks so much for your extensive answers, they are really helpful. What I meant to ask is, how much benefit can we actually get from WSE, given that we are using UT, and SSL? The only benefit, as I see it, is managed authentication, which actually is to our detriment, because of my original problems (i.e. logging, account lockout, etc). Obviously, SCT's bring their own benefit (do I understand correctly that SCT's are based on client certs?); however we do not (currently) have that option. Also, I meant using WSE as opposed to straight WebServices, calling the ASMX over HTTP/S, as you put it. One thing is clear to me, though - it would have been preferable to go with SCT.... Another question, if we are using SSL, does WSE provide a mechanism for server authentication? Specifically, is there builtin support for validating a server certificate? One path I considered, is signing the client assemblies (SN) with the server's SSL cert, and then verifying at runtime that the public keys match (actually the public key token). Tho that seems a lot of work.... Thanks again! (p.s. sorry for the long-windedness, I prefer being complete and explicit....) SignatureAvi Douglen Application Security Consultant > > Yes, they are indeed using a username/pwd DB (and therefore LogonUserAPI > > is [quoted text clipped - 72 lines] > and SendPlainText is a slightly simplier approach and gives you a direct way > to do your logging in the UTM. HTH > What I meant to ask is, how much benefit can we actually get from WSE, > given > that we are using UT, and SSL? I am confused. If your using UT, your already using WSE. Unless your talking about some other UT? > The only benefit, as I see it, is managed > authentication, which actually is to our detriment, because of my original > problems (i.e. logging, account lockout, etc). As we already talked about, you can do that with WSE, so I don't see the issue. > Obviously, SCT's bring their > own benefit (do I understand correctly that SCT's are based on client > certs?); however we do not (currently) have that option. Server certs. You already have one if your using SSL. The default SCT method in WSE uses server cert. So you can use that option if you want and use SCTs. > Also, I meant using > WSE as opposed to straight WebServices, calling the ASMX over HTTP/S, as > you > put it. The security part of your app is important, but only a piece of the whole picture. You need to decide if you want to use ASMX or WSE. Then pick the currect security that fits with the respective model. SignatureWilliam Stacey [MVP] > > What I meant to ask is, how much benefit can we actually get from WSE, > > given > > that we are using UT, and SSL? > > I am confused. If your using UT, your already using WSE. Unless your > talking about some other UT? I meant that if we were to use WSE, it would be using UT (at least for now). I was actually asking, should I even bother using WSE with UT, or forego the inherent complexity of WSE altogether, since it's not quite worth the minimal benefit under these circumstances? Or did I miss something, and WSE is indeed more beneficial than I thought? > > The only benefit, as I see it, is managed > > authentication, which actually is to our detriment, because of my original > > problems (i.e. logging, account lockout, etc). > > As we already talked about, you can do that with WSE, so I don't see the > issue. Right, but to do that using WSE, I wind up rolling most of the code myself, anyway, so what does WSE add to the mix? > > Obviously, SCT's bring their > > own benefit (do I understand correctly that SCT's are based on client [quoted text clipped - 3 lines] > method in WSE uses server cert. So you can use that option if you want and > use SCTs. Again, since the whole channel is encrypted and protected with SSL, should we bother? > > Also, I meant using > > WSE as opposed to straight WebServices, calling the ASMX over HTTP/S, as [quoted text clipped - 4 lines] > picture. You need to decide if you want to use ASMX or WSE. Then pick the > currect security that fits with the respective model. Did I miss something here? As I understand it, WSE is being used to secure our WebServices, accessed through ASMX. If not security, why WSE? Thanks again, for your continuing help SignatureAvi Douglen Application Security Consultant > I meant that if we were to use WSE, it would be using UT (at least for > now). [quoted text clipped - 13 lines] >> As we already talked about, you can do that with WSE, so I don't see the >> issue. > Right, but to do that using WSE, I wind up rolling most of the code > myself, > anyway, so what does WSE add to the mix? Not really. You have to roll the DB lookup anyway. You can just log to the DB again after lookup is good or bad. WSE is far more then just security, it is your web service infrastructor also (if you pick to go that way). > Again, since the whole channel is encrypted and protected with SSL, should > we bother? This is your call. As I see you should pick one way and stick with that - either WSE or ASMX web services. Not both. So go with SSL and ASMX or Web Services and token security. > Did I miss something here? As I understand it, WSE is being used to secure > our WebServices, accessed through ASMX. If not security, why WSE? If you use WSE, you don't need webservices also. WSE is your web services. If app is already built around WebServices, then you should probably stick with that and not mess with WSE at all. It all depends on how you want to build your app and what tools you want to use. SignatureWilliam Stacey [MVP] William, thank you so much for answers, they helped a lot. I still dont understand your contrasting WSE to WS/ASMX (even with WSE, we're still calling a WS implemented in a ASMX file), since WSE is just another protocol (or rather an implementation thereof) higher up the stack, riding on top of SOAP WS - but I guess it's really just semantics.... Thanks! SignatureAvi Douglen Application Security Consultant > > I meant that if we were to use WSE, it would be using UT (at least for > > now). [quoted text clipped - 36 lines] > with that and not mess with WSE at all. It all depends on how you want to > build your app and what tools you want to use. I contrast them, because they are separate. You can do everything in WSE without any ASMX. When channel is HTTP, IIS is only used to basically route the Soap request to WSE after it processes the HTTP header. TMK, it hands off the request to WSE - so ASMX is not used either. I think there is a way to host WSE over HTTP without IIS, but have not tried it. Remember with WSE, you can host the service in a standard exe or service using TCP, in that case IIS or ASMX is not involved either. SignatureWilliam Stacey [MVP] > William, thank you so much for answers, they helped a lot. > I still dont understand your contrasting WSE to WS/ASMX (even with WSE, [quoted text clipped - 55 lines] >> to >> build your app and what tools you want to use. I see your point, though in fact the same is true for straight WebServices - you don't NEED to use IIS/ASP.NET/ASMX to implement WS, it's just a whole lot easier, and there are other benefits. Actually, even if you do use IIS/ASP.NET, no one says that the URL has to be ASMX, you can change that..... I do understand your meaning, thanks a ton! SignatureAvi Douglen Application Security Consultant > I contrast them, because they are separate. You can do everything in WSE > without any ASMX. When channel is HTTP, IIS is only used to basically route [quoted text clipped - 63 lines] > >> to > >> build your app and what tools you want to use. As a side note. I just posted a complete sample project at Channel9: http://channel9.msdn.com/ShowPost.aspx?PostID=103242 This shows using secure methods using WSE and SCT tokens without needing certs. Built using fx2.0. SignatureWilliam Stacey [MVP] > William, > Thanks so much for your extensive answers, they are really helpful. [quoted text clipped - 120 lines] >> way >> to do your logging in the UTM. HTH hi everyone.. i am also worried about Authentication in WSE. actually i knows little bit about Custom Usernametoken manager for authentication.. u can use authentication for username token with database for this u need to create sqlhelper policy, then u have to create custom usernametoken. with this u can provide much better security for ur service.. i have no much idea about this.. but i can provide u a link for help.. from deepak http://msdn2.microsoft.com/en-us/library/aa480575.aspx with this link u get so much help.. if u got perfect idea plese reply me soon. Send me your eamil and i will send you the solution i have written. It used a usernametoken which is validated using a cutom username token manager to validate the password (we are sending over ssl for security) rlirwin1138@wowway.com > A client of mine is using WSE2 for authenticating rich clients over a > webservice, and for message signing. (They're using SSL for encryption and [quoted text clipped - 49 lines] > > Thanks,
Free MagazinesGet these publications absolutely FREE for up to 12 months. There are no hidden fees and no obligation. Simply choose a title, complete the application form and submit it. Read more ...
|
Reply to this Message
|
 Sign In
 Join
 My Latest Posts My Monitored Threads My Blog My Photo Gallery My Profile My Homepage Start New Thread Enable EMail Alerts Rate this Thread
|
©2008 Advenet LLC Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.