Home | Contact Us | FAQ | Search & Site Map | Link to Us
Sign In | Join | Other 45 Sites in Network
HomeAnnouncementsFree MagazinesWhite PapersSubmit Content
Discussion GroupsASP.NETWindows FormsLanguages.NET FrameworkVisual Studio.NET
Articles.NET FrameworkASP.NETToolsWindows Forms
.NET DirectoryOpen Source ProjectsUser GroupsWeb Resources
Related Topics
Visual Basic 6SQL ServerMS AccessOther DB ProductsMS Server ProductsMore Topics ...
.NET Forum / ASP.NET / Web Services / January 2007

Tip: Looking for answers? Try searching our database.

Is WSE 3 and Kerberos useful for securing services at the method level?

Thread view: 
Enable EMail Alerts  Start New Thread
Thread rating: 
Eric - 07 Dec 2006 17:34 GMT
I am designing some services that I am thinking would be good to secure
using Kerberos as we have an intranet setup.  It is pretty clear how you
secure a user at the service level, but I'm curious as to how one would use
Kerberos to secure at the method level. Say I have an AD group named "MyApp"
that allows a user to access the service.  I'd also like to have another
group "MyAppAdmin" which gives a user access to more methods on the service
than the vanilla user would have.

I havent seen anything so far to suggest that the WSE helps you in my
scanario beyond providing you with the account name of the user so you can
use code to check for methods you want extra security on, whereas the
service level authentication is pretty much built in.  Is that a correct
assesment?

Thanks,
Eric
Reply to this Message
Pablo Cibraro [MVP] - 08 Dec 2006 14:57 GMT
Hi Eric,

Your supposition is correct at certain extent. You can use the Windows
Principal available in the kerberos token to check permissions at method
level.
Another solution is to extend the Kerberos assertion provided by WSE to set
the CurrentThread.Principal property with the principal available in the
kerberos token. Once, you do that, you can use PrincipalPermission to set
permissions at method level.

Regards,
Pablo Cibraro.

>I am designing some services that I am thinking would be good to secure
>using Kerberos as we have an intranet setup.  It is pretty clear how you
[quoted text clipped - 12 lines]
> Thanks,
> Eric
Reply to this Message
Howard Hoffman - 09 Jan 2007 22:41 GMT
We've written a custom PolicyAssertion / SoapFilter pair of subclasses that
grab the SecurityToken out of SoapEnvelope.Context.Credentials, create a
RoleProviderPrincipal if necessary, check IsInRole membership against roles
configured for the SoapEnvelope.Context.Addressing.Action and ultimately
populate the Thread.CurrentPrincipal.

The SoapEnvelope SecurityTokens will be populated by the WSE pipeline, so
you're not just limited to Kerberos.

We've found it to be very useful, as we have lot's of different services on
the same ASMX.

HTH,

Howard Hoffman

> Hi Eric,
>
[quoted text clipped - 25 lines]
>> Thanks,
>> Eric
Reply to this Message

 Rate this thread:







Free Magazines

Get these publications absolutely FREE for up to 12 months. There are no hidden fees and no obligation. Simply choose a title, complete the application form and submit it. Read more ...

Oracle MagazineNetwork ComputingComputer WorldBio-IT WorldeWeekInformation WeekInfosecurity
 
Sign In
Join
My Latest Posts
My Monitored Threads
My Blog
My Photo Gallery
My Profile
My Homepage
Start New Thread
Enable EMail Alerts
Rate this Thread



©2008 Advenet LLC   Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.