Home | Contact Us | FAQ | Search & Site Map | Link to Us
Sign In | Join | Other 45 Sites in Network
HomeAnnouncementsFree MagazinesWhite PapersSubmit Content
Discussion GroupsASP.NETWindows FormsLanguages.NET FrameworkVisual Studio.NET
Articles.NET FrameworkASP.NETToolsWindows Forms
.NET DirectoryOpen Source ProjectsUser GroupsWeb Resources
Related Topics
Visual Basic 6SQL ServerMS AccessOther DB ProductsMS Server ProductsMore Topics ...
.NET Forum / ASP.NET / Web Services / January 2006

Tip: Looking for answers? Try searching our database.

WSE or not WSE for custom Auth ?

Thread view: 
Enable EMail Alerts  Start New Thread
Thread rating: 
bradrover - 23 Jan 2006 16:13 GMT
I have a very simple set of credentials I need to authenticate and
authorize against. I would assume this a common scenario for anyone
exposing a public web service:

username
password
accountID

the accountID is critical for authorizing access to a particular
account, and the mappings of usernames to accounts is in a database. In
this case, can I somehow add accountID to the usernametoken ? If I can,
should I ? After looking through the 3.0 samples it appears I could
possibly write a general custom assertion to do this auth against my
own header holding he credentials, but I'm not sure if thats
appropriate or any better than just using the asmx headers and doing
the auth in each method.
Reply to this Message
Niels Flensted-Jensen - 25 Jan 2006 10:16 GMT
Maybe the AccountId is really more related to the business logic of your
service than the infrastructure (which username/password supposedly belongs
to)?

If this is the case you may consider putting the accountId in your message
rather than in the headers, which are normally reserved for more
infrastructure related stuff (security, addressing, attachments, ...).  

But if you choose to stick it in the header (and I dont thing the
UsernameToken has room for it), it must be because you want to have the
framework do the authorization before reaching your Web method, and in that
case there is no way around writing your own policy assertion.

Just a few thoughts, but if you need examples of writing your own assertions
they are becoming available in may places.

Niels

> I have a very simple set of credentials I need to authenticate and
> authorize against. I would assume this a common scenario for anyone
[quoted text clipped - 12 lines]
> appropriate or any better than just using the asmx headers and doing
> the auth in each method.
Reply to this Message
bradrover - 25 Jan 2006 18:13 GMT
Thanks Niels, yes I think accountID is really part of the business
logic. I'd prefer do the authorization in the request pipeline than in
each method if possible. I suppose I could go ahead with UserNameToken,
but then also add a custom policy assertion after that in the pipeline
to do the authorization, by picking the accountID out of the message
body.
Reply to this Message

Free Magazines

Get these publications absolutely FREE for up to 12 months. There are no hidden fees and no obligation. Simply choose a title, complete the application form and submit it. Read more ...

Oracle MagazineNetwork ComputingComputer WorldBio-IT WorldeWeekInformation WeekInfosecurity
 
Sign In
Join
My Latest Posts
My Monitored Threads
My Blog
My Photo Gallery
My Profile
My Homepage
Start New Thread
Enable EMail Alerts
Rate this Thread



©2008 Advenet LLC   Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.