 |
 | Home | Contact Us | FAQ | Search & Site Map | Link to Us |
 | Sign In | Join | Other 45 Sites in Network |
.NET Forum / ASP.NET / Web Services / July 2006Security handling based on Role of User and Destination of Service
I can't seem to find enough information to solve this problem. Scenario: - There are two web services: ServiceA and ServiceB both have two web methods AA(), AB() and BA(), BB() respectively - There are two in memory associations: "ServiceA" is allowed to be accessed by "Domain\Administrators", "ServiceB" is allowed to be accessed by "Domain\Users", which can change at any time during runtime. - The services are hosted via: SoapReceivers.Add(...,...) not ASP.net on IIS - WSE3 is enabled on both the server and client, for use with Kerberos tokens withing an intranet environment with Active Directory. My Intended Solution: - Upon receiving a web method call from a client the call is analysed. The caller's role and the destination service class name is checked against the in memory association and acted upon accordingly. - More specifically: If a member of the Administrators group attempts to access ServiceA, the call continues to invoke the appropriate method. - In contrast, If a caller attempts to call ServiceA and is not part of the Administrators group an exception is thrown. Other useful background: -I understand that access to web services can be controlled by editing the wse3policyCache.config file (policy\authorisation\allow@role="administrators"), but run time flexibility is needed. -I have seen and considered using a custom SecurityTokenManager, but I couldn't see any way of obtaining the destination of the SOAP message. That is, in the VerifyToken(SecurityToken token) procedure, I don't know how to tell whether i'm verifying a message going to ServiceA or ServiceB. Thanks, Toddo. Hi, If you need runtime flexibility, you can probably develop your own authorization assertion (Developing a custom assertion and a custom filter) to authorize a request or not depending on the wsa:Action or wsa:To headers. You can find a brief description about custom assertions in my blog, http://weblogs.asp.net/cibrax/archive/2005/07/19/419921.aspx Or this article in the msdn, http://msdn.microsoft.com/msdnmag/issues/05/11/AzManandWSE30/ Regards, Pablo Cibraro http://weblogs.asp.net/cibrax [MVP - Connected Systems Developer] >I can't seem to find enough information to solve this problem. > [quoted text clipped - 34 lines] > > Thanks, Toddo. You answer, sounded right until I got to coding the ValidateMessageSecurity method. When I realised I had access to the full SOAP envelope, I saw there was potential to authorize accordingly. But By-Method authorisation is too low level. The most suitable authorisation level would allow me to control access depending on the SOAP Action URL, but this isn't contained within the SOAP envelope. The SOAP message request format is: POST /url HTTP/1.1 Host: HostServerName Content-type: text/xml; charset=utf-8 Content-length: 350 SoapAction: http://tempUri.org/GetCustomerInfo ... <?xml version="1.0" encoding="utf-8" ?> <soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"> <soap:Body> <GetCustomerInfo xmlns="http://tempUri.org/"> <CustomerID>1</CustomerID> <OutputParam /> </GetCustomerInfo> </soap:Body> </soap:Envelope> Does anyone know how I can programmically get access to the HTTP Post headers when running an assertion? (Keep in mind, i'm not hosting this in IIS, but by using SoapReceivers.Add) I know it's technically feasible, but whether it's supported in the WSE framework or not is the issue. I may have to write my own HTTP server. Another option I can think of would be to inject a custom header into the SOAP envelope on the client end. But then that starts to pull me away from a standard Web Service implementation. > Hi, > [quoted text clipped - 52 lines] > > > > Thanks, Toddo. Would it have something to do with parentAssertion.ServiceActor? I know that the ServiceActor is a string and can contain a URI! But according to documentation only when a SOAP router has been used. So will a URI be in the ServiceActor because of the policy pipeline? I hope there's a simple way to do this. Thanks. > You answer, sounded right until I got to coding the ValidateMessageSecurity > method. When I realised I had access to the full SOAP envelope, I saw there [quoted text clipped - 90 lines] > > > > > > Thanks, Toddo. Hi, WSE also includes the action in the addressing header wsa:Action. (This header goes signed so nobody can change it). It is not safe to use the SOAP Action header (Someone can intercept the HTTP message and change that header, the server won't notice the difference), and ASP.NET keeps it only for backward compatibility with the simple web services developed with ASP.NET. You can get the addressing header from the envelope, envelope.Context.Addressing.Action Does it make sense ? Regards, Pablo. > Would it have something to do with parentAssertion.ServiceActor? > [quoted text clipped - 117 lines] >> > > >> > > Thanks, Toddo. Free MagazinesGet these publications absolutely FREE for up to 12 months. There are no hidden fees and no obligation. Simply choose a title, complete the application form and submit it. Read more ...
|
Reply to this Message
|
 Sign In
 Join
 My Latest Posts My Monitored Threads My Blog My Photo Gallery My Profile My Homepage Start New Thread Enable EMail Alerts Rate this Thread
|
©2008 Advenet LLC Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.