WSE 2.0 Custom Authentication

Thread view:

Enable EMail Alerts

Start New Thread

Thread rating:

Greg - 21 Jun 2004 16:20 GMT

I would like to implement custom authentication using WSE 2.0 . I have
downloaded the HOL but all the examples seem to use a windows authentication
system which is not possible for me.

My thought would be to override the "AuthenticateToken" method (similar to
what is in the WebSecurityHelper.cs example), perform a database query, etc.
However, I'm guessing I would still have to get a valid token in order for
this to be useful (though the method just returns a string, so I'm not
sure-- still trying to get my head wrapped around it). Has anyone attempted
something like this? Am I heading in the right direction?

Thanks,
Greg

Reply to this Message

Jag - 22 Jun 2004 01:15 GMT

Hi Greg

I am trying to do a similar implementation. You can have a look at the
CustomXmlSecTokencode sample (check under the WSE 2.0 install directory). I
have had no luck getting the sample to work. You may see some of my posting
but I am still waiting for some help. Thats all I can help with.

Regards
Jagdeep

> I would like to implement custom authentication using WSE 2.0 . I have
> downloaded the HOL but all the examples seem to use a windows authentication
[quoted text clipped - 9 lines]
> Thanks,
> Greg

Reply to this Message

Greg - 22 Jun 2004 13:11 GMT

Hi Jag, thanks for the reply. I ended up getting it working, I just overrode
the AuthenticateToken method. I found the most difficulty in configuring
the web.config :) I was trying to do it manually and kept running into
problems. Unfortunately a lot of the documentation doesn't explain what the
settings are for in the web.config very well (at least not what I was
looking at). I ended up using the visual studio add-in tool to configure it
and everything has worked. Also, I had to update the web references several
times.

My user authentication method is as follows:

protected override string AuthenticateToken(UsernameToken token)
{

ClassLib.User User; // My custom user class

string sConnString = Utilities.ReadAppSettings("AdminConnectionString");
User = new ClassLib.User(sConnString);

// Queries Db to see if userId is valid
if(User.GetUserAuthentication(token.Username, token.Password) >0)
{
return token.Password;
}
else
{
return "";
}
}

One thing that I don't like about this is that it has to authenticate the
user each time, which means a trip to the db each time. I may end up
creating a hash table to store all the authenticated users and search that
before querying the db. The only downside there is if a user changes a
password (or user is deleted), I will have to make sure the hash table is
updated accordingly.

----- Original Message -----
From: "Jag" <jagdeepsahdeva@hotmail.com>
Newsgroups: microsoft.public.dotnet.framework.webservices.enhancements
Sent: Monday, June 21, 2004 8:15 PM
Subject: Re: WSE 2.0 Custom Authentication

> Hi Greg
>
[quoted text clipped - 22 lines]
> > Thanks,
> > Greg

Reply to this Message

Softwaremaker - 22 Jun 2004 14:07 GMT

Hi Greg,

I understand your concern. If you are sending multiple messages (> 2) to a
service, you may want to look at the Security Context Token (SCT) that is
implemented with WS-SecureConversation. Look at the working samples for an
idea. You can also find in the newsgroups few postings (some of them by me
;)) that relates to WS-SecureConversation. There are a 2 models for
WS-SecureConversation. One where the SCT Issuer has the same host and
endpoint as the Service itself and one where it is different. There are
working samples in the examples.

The SCT in WS-SecureConversation is optimized for a Conversation-Like model
where multiple secured messages are exchanged. Symmetric Key Tokens are used
in this case to cut down on processing power.

I also agree with you that the documentation has been *crappy* and
inaccurate. Again see some of my posts in this newsgroup with regards to the
poor documentation of WSE2.0RTM.

hth.

Signature

Thank you very much

Warmest Regards,
Softwaremaker
Architect | Evangelist | Consultant

+++++++++++++++++++++++++++++++++

> Hi Jag, thanks for the reply. I ended up getting it working, I just overrode
> the AuthenticateToken method. I found the most difficulty in configuring
[quoted text clipped - 71 lines]
> > > Thanks,
> > > Greg

Reply to this Message

Jag - 23 Jun 2004 04:26 GMT

Hi Greg,
Thanks for you reply. Are you looking at the sample that installs with
wse 2.0 in the install folder and not the HOLDEVL34 - Security.doc? I
ask this as the CustomXmlSecTokencode sample has no class deriving
from UsernameTokenManager (override AuthenticateToken) method. I might
be missing something. This sample that I am referring to has a custom
implementation of a XmlToken.

What I am looking at doing is providing a token that can hold
information related to lockout policies and password policies of a
user account.

Regards
Jagdeep

Reply to this Message

Jag - 24 Jun 2004 01:50 GMT

Hi Greg,

The problem that I was having with the sample was:

The Virtual directory for the web service was executing under the ASPNET
User account and this account did not have permission to read the
"{drive}:\Documents and Settings\All Users\Application
Data\Microsoft\Crypto\RSA\MachineKeys" folder. and now the sample works.
This will be an issue to remember during deployment.

What I have been pondering over is the fact if one is using kerberos token
or username token with windows authentication. If the policy on the account
has the "password expired". WSE 2.0 throws up a exception "authentication
failed". Unless one has the security audit setup is there a way to pass the
correct account policy details?

Regards

Jagdeep

Regards

Jagdeep

Reply to this Message

WSE 2.0 Custom Authentication

Free Magazines