 |
 | Home | Contact Us | FAQ | Search & Site Map | Link to Us |
 | Sign In | Join | Other 45 Sites in Network |
.NET Forum / ASP.NET / Web Services / December 2004Authorization during WS-SecureConversation secured calls
What are the options/best practices for authorizing individual Web Service methods that are being made under the protection of WS-SecureConversation? The pattern I have in mind is: 1) The web service client is initially authenticated using a custom username/password (stored in a backend database) while the WS-SecureConversation machinery is being set up. (No problems in this part). 2) Subsequent web service calls made by the client are now secured and authenticated, but how can authorization checks be performed on them at call time, since different web service calls may have different privilege requirements? In particular, I can't see how to obtain a Principal/Identity from the DerivedKeyToken that is being used to encrypt the subsequent web service requests. This seems like it should be a fairly common usage pattern, but everything I've read so far appears to discuss WS-SecureConversation and authorization separately, and I can't seem to get my head around how these should be made to work together. Should I be exploring: i) A solution based on custom security tokens? Binary or XML? ii) Adding some sort of custom SOAP header? iii) Some sort of session state based solution? iv) Something else altogether? I'm still holding out hope that this problem is straightforward and I've just managed to miss some key point... Regardless, any insights much appreciated! tim Hi Tim, WS-SecurityConversation manages all these issues for you. When you send your username and password in UsernameToken it will be encrypted with the public key of the server that you have specified. Then the sever returns security context token and you can start encrypting subsequent messages. When the server receives security context token it associate it with the original username token. You can see this if you access RequestSoapContext.Current.IdentityToken.BaseToken. It is your original UsernameToken. You can also query for IsInRole method in RequestSoapContext.Current.IdentityToken.Principal. You will see that the principal object is still the same WindowsPrincipal if you have used password in plain text and windows authorization. HTH, Martin Kulov http://www.codeattest.com MCAD Charter Member MCSD.NET Early Achiever MCSD Hi Tim, Martin I have similar needs, If you don't mind I have few questions. 1- When the server returns a security context token where can this be stored if the consumer is a web site and not a windows app? 2- What happens If I don't use Windows authorization? I know that Web Services are stateless. Basically I need to authenticate a user against a database, then get the rolls that apply to a logged on user. On subsequent calls I will continue to authenticate and check authorization ( due to my psychosis characterized by systematized delusions of persecution or grandeur usually without hallucinations. my tendency toward excessive or irrational suspiciousness and distrustfulness of others) Thank you for any help Sql Hi SQLAgentman, >> 1- When the server returns a security context token where can this be stored if the consumer is a web site and not a windows app? You can store it in web server's Application object or in some other storage, ie. database, file ... >> 2- What happens If I don't use Windows authorization? In this case you need to write a class that inherits UsernameTokenManager and authenticate the user by yourself. Look for "Implementing a UsernameTokenManager" in http://msdn.microsoft.com/msdnmag/issues/04/10/ServiceStation/. Regards, Martin Kulov http://www.codeattest.com MCAD Charter Member MCSD.NET Early Achiever MCSD Hi Martin, When I send a password in plain text, windows Authentication kicks in - right? when I implement my own UsernameTokenaManager and pass the password in plain text does Windows Authentication kick in also, or it depends on what I do in my own UsernameTokeManager? Okay I might be able to store the context token in session state, since application object is for all users Do I store the context as a blob in a database or what? Thank you for all your help Sql Hi SQLAgentman, > When I send a password in plain text, windows Authentication kicks in > - > right? That's right. > when I implement my own UsernameTokenaManager and pass the password in > plain text does Windows Authentication kick in also, or it depends on > what I do in my own UsernameTokeManager? Yes, it depends on what you have implemented in AuthenticateToken method that you have overrided. > Do I store the context as a blob in a database or what? Wherever you want to. See "Serializing and Deserializing the SCT" in Chris Keyser's article [1]. [1] http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnwebsrv/html/s ctinfarm.asp Regards, Martin Kulov http://www.codeattest.com MCAD Charter Member MCSD.NET Early Achiever MCSD Free MagazinesGet these publications absolutely FREE for up to 12 months. There are no hidden fees and no obligation. Simply choose a title, complete the application form and submit it. Read more ...
|
Reply to this Message
|
 Sign In
 Join
 My Latest Posts My Monitored Threads My Blog My Photo Gallery My Profile My Homepage Start New Thread Enable EMail Alerts Rate this Thread
|
©2008 Advenet LLC Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.