Home | Contact Us | FAQ | Search & Site Map | Link to Us
Sign In | Join | Other 45 Sites in Network
HomeAnnouncementsFree MagazinesWhite PapersSubmit Content
Discussion GroupsASP.NETWindows FormsLanguages.NET FrameworkVisual Studio.NET
Articles.NET FrameworkASP.NETToolsWindows Forms
.NET DirectoryOpen Source ProjectsUser GroupsWeb Resources
Related Topics
Visual Basic 6SQL ServerMS AccessOther DB ProductsMS Server ProductsMore Topics ...
.NET Forum / ASP.NET / Web Services / December 2004

Tip: Looking for answers? Try searching our database.

WSE 2.0 1000 Foot level Question Easy one

Thread view: 
Enable EMail Alerts  Start New Thread
Thread rating: 
Sql Agentman - 01 Dec 2004 05:42 GMT
I need to secure comunications between a website and a web service

what possible ways of doing this?

Possibilities

1-  use a trust between the website and the web service
2-  use usernameToken and authenticate per user every time for every method

if I am to use a user account and password where do I keep them?
I can pass them encrypted. Do I keep them in session state
What if session is hijacked?

thanks for any help, or reference to any documents that can guide me throught this.

gus.
Reply to this Message
Softwaremaker - 01 Dec 2004 11:49 GMT
> I need to secure comunications between a website and a web service
>
[quoted text clipped - 3 lines]
>
> 1-  use a trust between the website and the web service

[Softwaremaker] Do you mean SSL ? If it is just end-to-end security you
desire with no intermediaries in between, you can consider SSL

> 2-  use usernameToken and authenticate per user every time for every method
>
> if I am to use a user account and password where do I keep them?
> I can pass them encrypted. Do I keep them in session state
> What if session is hijacked?

[Softwaremaker] You keep the useraccount and pwd as you would
normally....either in Windows Accounts, AD, or a UserDB, etc. Web Services
are stateless and there is no session per se. Every call would involve your
web services to authenticate again. You can implement your own session
container, if you choose to. You can also look at WS-SecureConversation
which uses SecureContextTokens for quicker authentication. However, it is
not really a standard yet. If you have control on both ends and they both
use WSE, then it shld be fine.

> thanks for any help, or reference to any documents that can guide me throught this.
>
> gus.
Reply to this Message
Sql Agentman - 01 Dec 2004 14:58 GMT
Thank you for your reply,

If I understand you correctly:

I can use SSL between the WebSite and the WebService?
or
I can Use SecureConversation between the Website and the WebService

Now when one of my users authenticate with his/her/it account and
password
on a web Form ( using Form authentication )
I can keep that info in a session variable(s), but what is the best
practice?
Passing the user account and password to the web service so the web
service can authenticate/authorize their requests etc...

Do I generate a UserNameToken and keep it in the WebSite Session and
send it back and forth to the WebService??

I am looking for some guidance, documents, a book that can give me
some real life examples on how to go about doing that securely.

Thank you again for your help...

Gus

> > I need to secure comunications between a website and a web service
> >
[quoted text clipped - 27 lines]
> >
> > gus.
Reply to this Message
Martin Kulov - 01 Dec 2004 19:40 GMT
Hi Sql,

When you use SecureConversation in WSE2.0 SP2 you do not need to have SSL between the WebSite and the WebService. The UsernameToken is encrypted with receiver's public key. So all you need is to specify the public key of your WebService in WebSite settings.
You do not have to keep the username token with every request since you can extract it from the security context that you will be using.
Look at the HOL-Security on http://msdn.microsoft.com/webservices/building/wse/default.asp.

Best,

Martin Kulov
www.codeattest.com
Reply to this Message
SQLAgentman - 06 Dec 2004 21:01 GMT
Martin,
Thanks for your help I will read the HOL-Security -- that should
help
Sql

> Hi Sql,
>
> When you use SecureConversation in WSE2.0 SP2 you do not need to have SSL between the WebSite and the WebService. The UsernameToken is
encrypted with receiver's public key. So all you need is to specify the
public key of your WebService in WebSite settings.
> You do not have to keep the username token with every request since you can extract it from the security context that you will be using.
> Look at the HOL-Security on http://msdn.microsoft.com/webservices/building/wse/default.asp.
[quoted text clipped - 3 lines]
> Martin Kulov
> www.codeattest.com
Reply to this Message
Martin Kulov - 01 Dec 2004 12:42 GMT
Hi Sql,

Look at this doc [1]. There is practical explanation about how to implement web service that supports Secure Conversation. In WSE 2.0 SP2 the security of the UsernameToken is even better. You do not have to keep the session anywhere. This is handled for you by the SecureConversation module.

[1]
http://download.microsoft.com/download/7/A/A/7AA994A0-98E1-42CC-A527-0FE1B49DEB4
0/HOL-WSE-Security.EXE

Martin Kulov
www.codeattest.com
Reply to this Message

Free Magazines

Get these publications absolutely FREE for up to 12 months. There are no hidden fees and no obligation. Simply choose a title, complete the application form and submit it. Read more ...

Oracle MagazineNetwork ComputingComputer WorldBio-IT WorldeWeekInformation WeekInfosecurity
 
Sign In
Join
My Latest Posts
My Monitored Threads
My Blog
My Photo Gallery
My Profile
My Homepage
Start New Thread
Enable EMail Alerts
Rate this Thread



©2008 Advenet LLC   Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.