Home | Contact Us | FAQ | Search & Site Map | Link to Us
Sign In | Join | Other 45 Sites in Network
HomeAnnouncementsFree MagazinesWhite PapersSubmit Content
Discussion GroupsASP.NETWindows FormsLanguages.NET FrameworkVisual Studio.NET
Articles.NET FrameworkASP.NETToolsWindows Forms
.NET DirectoryOpen Source ProjectsUser GroupsWeb Resources
Related Topics
Visual Basic 6SQL ServerMS AccessOther DB ProductsMS Server ProductsMore Topics ...
.NET Forum / ASP.NET / Web Services / October 2006

Tip: Looking for answers? Try searching our database.

WSE 3.0 and UsernameTokenManager encryption

Thread view: 
Enable EMail Alerts  Start New Thread
Thread rating: 
jeff - 14 Aug 2006 21:08 GMT
Hello all
There is a lot of good information on this list so i thought i would ask
for some advise. I have a windows application that need to access web
services i do have a user-name and Pass that can be validated with a DB
(users is text and password is a salted hash) so what i have created is
a UsernameTokenManager class overriding AuthenticateToken this works
fine but the User-Name and Password from the win client needs to be in
the clear(i don't like this) so after doing some research i created a
SendSecurityFilter that would take care of the Token enc for me via the
SecureMessage override so this is kinda of working but the password in
the soap header is still in the clear. i am not sure if this is a
design/idea problem or a code problem. the only thing is i need to be
able to get the username and password in the clear so that my
AuthenticateToken can hash it my way and verify it with my user store
and advise would be most helpful
jeff
Reply to this Message
Niels Flensted-Jensen - 15 Aug 2006 08:53 GMT
Hi Jeff,

Try using a UsernameOverCertificate policy (in my documentation it is at
ms-help://MS.WSE30.1033/WSE3.0/html/17147edb-2682-4aee-b73c-b9775e11261d.htm).

It works with you UsernamePassword on the client and requires a certificate
for the server.  If your client is a WinForms client you may use secure
conversation on top of that (this is something you enable in the WSE 3.0
Wizard/policy file).

Niels
http://blog.flensted-jensen.com

> Hello all
> There is a lot of good information on this list so i thought i would ask
[quoted text clipped - 12 lines]
> and advise would be most helpful
> jeff
Reply to this Message
jeff - 15 Aug 2006 15:36 GMT
Thanks for the info
i was wondering if there is a way of not using a cert (x509 and the
like) we are planning to install the win application using click-once
and have noticed that installing a cert on the clients computer might be
a problem(please correct if i am wrong)
jeff

> Hi Jeff,
>
[quoted text clipped - 25 lines]
>> and advise would be most helpful
>> jeff
Reply to this Message
d - 24 Oct 2006 16:41 GMT
> Hello all
> There is a lot of good information on this list so i thought i would ask
[quoted text clipped - 12 lines]
> and advise would be most helpful
> jeff

did u find a solution. I also am trying to find how to encrypt password that is sent as security token as part of the soap header.

Posted from http://www.topxml.com/renntp using reNNTP: the website based NNTP reader.
Reply to this Message

Free Magazines

Get these publications absolutely FREE for up to 12 months. There are no hidden fees and no obligation. Simply choose a title, complete the application form and submit it. Read more ...

Oracle MagazineNetwork ComputingComputer WorldBio-IT WorldeWeekInformation WeekInfosecurity
 
Sign In
Join
My Latest Posts
My Monitored Threads
My Blog
My Photo Gallery
My Profile
My Homepage
Start New Thread
Enable EMail Alerts
Rate this Thread



©2008 Advenet LLC   Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.