Home | Contact Us | FAQ | Search & Site Map | Link to Us
Sign In | Join | Other 45 Sites in Network
HomeAnnouncementsFree MagazinesWhite PapersSubmit Content
Discussion GroupsASP.NETWindows FormsLanguages.NET FrameworkVisual Studio.NET
Articles.NET FrameworkASP.NETToolsWindows Forms
.NET DirectoryOpen Source ProjectsUser GroupsWeb Resources
Related Topics
Visual Basic 6SQL ServerMS AccessOther DB ProductsMS Server ProductsMore Topics ...
.NET Forum / ASP.NET / Web Services / March 2005

Tip: Looking for answers? Try searching our database.

Sample Code Desired Please

Thread view: 
Enable EMail Alerts  Start New Thread
Thread rating: 
GCeaser@aol.com - 01 Mar 2005 20:38 GMT
All,

   I have a simple request.  I am looking for a FULL code example that
will allow me to use the PasswordOption.SendHashed on a UsernameToken
WITHOUT using a certificate.  I simply want to pass the user id and
password to the web service, (in a manner in which the password is not
transmitted on open text), and have the Web Service authenticate the
user in a custom manner such as against an SQL Server database.

   Any pointers to examples would be greatly appreciated.
Reply to this Message
Softwaremaker - 01 Mar 2005 20:45 GMT
See comments inline. Not sure if this is what you need.
Signature

Thank you.

Regards,
William T (Softwaremaker)
http://www.softwaremaker.net/blog
=========================================

> All,
>
>     I have a simple request.  I am looking for a FULL code example that
> will allow me to use the PasswordOption.SendHashed on a UsernameToken
> WITHOUT using a certificate.

[WilliamT] You dont need a certificate for that in the first place.

I simply want to pass the user id and
> password to the web service, (in a manner in which the password is not
> transmitted on open text),

[WilliamT] Depending on how strong you passwords are, you may be subject to
some form of dictionary attack

and have the Web Service authenticate the
> user in a custom manner such as against an SQL Server database.
>
>     Any pointers to examples would be greatly appreciated.

[WilliamT] Pointers are all over the web, including WSE documentation. The
essence is:
RequestSoapContext.Security.Tokens.Add(New UsernameToken("MyName",
"MyPassword", PasswordOption.SendHashed)
Reply to this Message
GCeaser@aol.com - 02 Mar 2005 13:35 GMT
The only option in the WSE 2.0 documentation that uses
PasswordOption.SendHashed used a X509 certificate.  There are intranet
web services so as long as the passwords are not transmitted in open
text, the security is fine. The pointers I have found the net either
use a certificate or are not complete examples.  They might say insert
code in your program to do this but they do not give you a full -
executable to download so you can see where everything fits together.
Any help would be appreciated.

Thanks
Reply to this Message
Softwaremaker - 02 Mar 2005 21:41 GMT
> The only option in the WSE 2.0 documentation that uses
> PasswordOption.SendHashed used a X509 certificate.

[WilliamT] Wait...you must be talking about using a SecurityContextToken,
arent you ? If you are using a straight-up usernametoken, I dont think you
need to use an X509 for a shared secret encryption, at least not the last
time I checked anyways :)

There are intranet
> web services so as long as the passwords are not transmitted in open
> text, the security is fine. The pointers I have found the net either
> use a certificate or are not complete examples.

[WilliamT] Check out William Stacy's code tips and snippets on how to do
this here. (1) I think those are awesome concrete examples

1.
http://spaces.msn.com/members/staceyw/Blog/cns!1pnsZpX0fPvDxLKC6rAAhLsQ!268.entry

They might say insert
> code in your program to do this but they do not give you a full -
> executable to download so you can see where everything fits together.
> Any help would be appreciated.
>
> Thanks
Reply to this Message
Softwaremaker - 02 Mar 2005 21:50 GMT
You may want to check out this thread in this newsgroup as well (1)

1. news:OhgIhP9DFHA.4072@TK2MSFTNGP10.phx.gbl

Signature

Thank you.

Regards,
William T (Softwaremaker)
http://www.softwaremaker.net/blog
=========================================

> > The only option in the WSE 2.0 documentation that uses
> > PasswordOption.SendHashed used a X509 certificate.
[quoted text clipped - 13 lines]
>
> 1.

http://spaces.msn.com/members/staceyw/Blog/cns!1pnsZpX0fPvDxLKC6rAAhLsQ!268.entry

> They might say insert
> > code in your program to do this but they do not give you a full -
> > executable to download so you can see where everything fits together.
> > Any help would be appreciated.
> >
> > Thanks
Reply to this Message
VBAHole22 - 07 Mar 2005 20:13 GMT
You do bring up a great point though. I have been able to get the HashPass
option to work. Didn't do anything special just overrode the TokenManager
because I wanted to hit against SqlServer and not AD.
BUT.....
Now I am checking the password against SqlServer and they are in SqlServer
in clear text. This is not good for me because this is a client deployment
and I don't have any idea who may see the db. What i would prefer is to have
the passwords stored as binary and SHA encrypted. I have code that will store
them this way and authentice them this way. The problem is that the
AuthenticatToken method that I have overridden ONLY returns a string.
So is the answer to have the return value from this overriden function be
some dummy value based on the db check?

> You may want to check out this thread in this newsgroup as well (1)
>
[quoted text clipped - 26 lines]
> > >
> > > Thanks
Reply to this Message
Softwaremaker - 07 Mar 2005 22:11 GMT
See comments inline.

Signature

Thank you.

Regards,
William T (Softwaremaker)
http://www.softwaremaker.net/blog
=========================================

> You do bring up a great point though. I have been able to get the HashPass
> option to work. Didn't do anything special just overrode the TokenManager
[quoted text clipped - 4 lines]
> and I don't have any idea who may see the db. What i would prefer is to have
> the passwords stored as binary and SHA encrypted.

[WilliamT] Wait...Should I assume its SHA-Hashed or DES-Encrypted ? I think
I will assume SHA-Hashed in this instance. Please correct me if I am wrong

I have code that will store
> them this way and authentice them this way. The problem is that the
> AuthenticatToken method that I have overridden ONLY returns a string.
> So is the answer to have the return value from this overriden function be
> some dummy value based on the db check?

[WilliamT] There are a few ways and guidance to do this. You can check out
my blog here
http://www.softwaremaker.net/blog/PermaLink,guid,43d85031-3e0b-48a7-bdd7-1f49932
db40a.aspx
for some tips. Alternatively, you HAVE to read Keith's article here
http://msdn.microsoft.com/webservices/default.aspx?pull=/library/en-us/dnwse/htm
l/securusernametoken.asp
as well as read StaceyW's blog here
http://spaces.msn.com/members/staceyw/?partqs=cat%3DWSE&_c11_blogpart_blogpart=b
logview&_c=blogpart
on some bits on how to best implement your solution.

> > You may want to check out this thread in this newsgroup as well (1)
> >
[quoted text clipped - 17 lines]
> > >
> > > 1.

http://spaces.msn.com/members/staceyw/Blog/cns!1pnsZpX0fPvDxLKC6rAAhLsQ!268.entry

> > > They might say insert
> > > > code in your program to do this but they do not give you a full -
> > > > executable to download so you can see where everything fits together.
> > > > Any help would be appreciated.
> > > >
> > > > Thanks
Reply to this Message
VBAHole22 - 07 Mar 2005 20:17 GMT
The part I understand least about this whole process is: why do I NOT have to
call the AuthenticateToken function? I mean, I know it gets called right. But
it accepts a username and returns a password. Well I am the one querying the
db for the password so I know if that user is authorized or not, why wouldn't
this method then return a bool? And since it doesn't but returns a string,
what happens to that string after I return it from that method? Where would
wse check it against anything?
I need to override this entire return string business, but how?

> You may want to check out this thread in this newsgroup as well (1)
>
[quoted text clipped - 26 lines]
> > >
> > > Thanks
Reply to this Message
Sidd - 25 Mar 2005 07:58 GMT
The string returned by AuthenticateToken is the password. If the
PasswordOption is SendHashed,  WSE takes this password string from
AuthenticateToken, hashes it, and then compares it to the hash that came
across the wire.

In your case if you query your Database and find out that this is an invalid
user, then you can always throw, or return null.

Does this make sense? Let me know if you are still unclear.

Thanks,

Sidd [MSFT]

> The part I understand least about this whole process is: why do I NOT have to
> call the AuthenticateToken function? I mean, I know it gets called right. But
[quoted text clipped - 26 lines]
> > >
> > > 1.

http://spaces.msn.com/members/staceyw/Blog/cns!1pnsZpX0fPvDxLKC6rAAhLsQ!268.entry

> > > They might say insert
> > > > code in your program to do this but they do not give you a full -
> > > > executable to download so you can see where everything fits together.
> > > > Any help would be appreciated.
> > > >
> > > > Thanks
Reply to this Message

Free Magazines

Get these publications absolutely FREE for up to 12 months. There are no hidden fees and no obligation. Simply choose a title, complete the application form and submit it. Read more ...

Oracle MagazineNetwork ComputingComputer WorldBio-IT WorldeWeekInformation WeekInfosecurity
 
Sign In
Join
My Latest Posts
My Monitored Threads
My Blog
My Photo Gallery
My Profile
My Homepage
Start New Thread
Enable EMail Alerts
Rate this Thread



©2008 Advenet LLC   Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.