Home | Contact Us | FAQ | Search & Site Map | Link to Us
Sign In | Join | Other 45 Sites in Network
HomeAnnouncementsFree MagazinesWhite PapersSubmit Content
Discussion GroupsASP.NETWindows FormsLanguages.NET FrameworkVisual Studio.NET
Articles.NET FrameworkASP.NETToolsWindows Forms
.NET DirectoryOpen Source ProjectsUser GroupsWeb Resources
Related Topics
Visual Basic 6SQL ServerMS AccessOther DB ProductsMS Server ProductsMore Topics ...
.NET Forum / ASP.NET / Web Services / October 2004

Tip: Looking for answers? Try searching our database.

Authentication & Authorization

Thread view: 
Enable EMail Alerts  Start New Thread
Thread rating: 
Thomas Waldron - 28 Sep 2004 19:59 GMT
What is a recommended way using the WSE to handle authentication and
role-based authorization between domain boundaries? (client code in DMZ, web
services on internal server)

More or less, what I'm going for is a series of "service accounts" or
principals that are authorized to call certain web services. I can either
represent these principals as X.509 certs or as a custom username and
password combination.

If I went with X.509, is it sufficient to use WS-Policy/XML files to
restrict what X.509 certs can be used to call a service? Or is it recommended
to store principals and roles in a database, along with the public key of the
cert.

If I go with UserNameToken, I would probably want to override it such that
the client encrypts the password with a  symmetric algorithm, and the web
service decrypts, then authenticates against a database where the password is
stored in a salted hashed format, along with the role memberships.

Reasons I would want to change how UserNameToken works:
1) it's only an SHA-1 hash (http://tinyurl.com/5grfd)
2) it requires the password to be persisted somewhere in a plain text, in
order for the web service to reconstruct the hash.

Thank you for any feedback,

Thomas
Reply to this Message
Mike - 01 Oct 2004 11:46 GMT
Hey Thomas,

I've asked this same question and haven't gotten any bites. Think what I'm
going to do is just run some tests and see which method works better/easier
and go with that!

Mike

> What is a recommended way using the WSE to handle authentication and
> role-based authorization between domain boundaries? (client code in DMZ, web
[quoted text clipped - 23 lines]
>
> Thomas
Reply to this Message
Thomas Waldron - 04 Oct 2004 17:23 GMT
Thanks for the reply Mike. I've taken a similar path, setting up various
proof of concept scenarios. Also, I grabbed a copy of Jeffrey Hasan's book,
SOA in C#, this is proving invaluable in making these types of architectural
decisions.

Regards,

Thomas

> Hey Thomas,
>
[quoted text clipped - 3 lines]
>
> Mike
Reply to this Message

Free Magazines

Get these publications absolutely FREE for up to 12 months. There are no hidden fees and no obligation. Simply choose a title, complete the application form and submit it. Read more ...

Oracle MagazineNetwork ComputingComputer WorldBio-IT WorldeWeekInformation WeekInfosecurity
 
Sign In
Join
My Latest Posts
My Monitored Threads
My Blog
My Photo Gallery
My Profile
My Homepage
Start New Thread
Enable EMail Alerts
Rate this Thread



©2008 Advenet LLC   Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.