 |
 | Home | Contact Us | FAQ | Search & Site Map | Link to Us |
 | Sign In | Join | Other 45 Sites in Network |
.NET Forum / ASP.NET / Web Services / June 2005Best Practices for WSE
I'm trying to develop a proof of concept for my company using WSE. We actually have a relatively simple goal. We have a web application that uses integrated authentication, and we'd like to flow the identity of the user to an internal Web service. I was thinking that just stuffing that into a token in the SOAP header would make the most sense, but then I started reading over the WSE 2-3 stuff, and it looks like there's some such functionality built in. The problem I have is that it appears that most of these approaches are a little overcomplicated for my needs. I don't think I need an x509 certificate--we want to make deployment as simple as possible for our clients. So what would be the most simple and effective way to achieve our goal? Thanks. -- J. Ambrose Little ASP.NET MVP/ASPInsider ----- Non nobis Domine non nobis sed nomini Tuo da gloriam. Hi, I think WSE is still the way to go. The thing you want to use is WS-Security. This spec (and implementation within WSE2-3) will allow you to deal with securing messages, signing and encryption. X509 is an option, but not the only one. You can use "Username/Password" in Digest too, or roll out your own "UsertokenManager". Hope this helps, Marvin Smit >I'm trying to develop a proof of concept for my company using WSE. We >actually have a relatively simple goal. We have a web application that uses [quoted text clipped - 10 lines] > >Thanks. So there's no way to set this up via policy? I was getting the impression that I could just flip some switches to flow Windows authentication through. I have done some initial research, but I was wanting to get experienced input prior to going too far down the wrong path.  SignatureJ. Ambrose Little ASP.NET MVP/ASPInsider ----- Non nobis Domine non nobis sed nomini Tuo da gloriam. > Hi, > [quoted text clipped - 5 lines] > "Username/Password" in Digest too, or roll out your own > "UsertokenManager". Hey Ambrose I haven't done it this way yet (more focused on UsernameTokens for initial authentication). However, I did notice that option in the WSE3 settings tool - all windows authentication - no username, no digital cetificates - but have no idea what the encryption/signature ramifications are. I can look at this further. Short of that, you could always use a UsernameToken, set it up for working with Active Directory (i.e. sendPlainText) but have a Web Server certificate on the webserver so that you can encrypt the UsernameToken on it's way over. YOu could easily install the server's public key on the client machines along with the client application. Policy handles all of this except for actually constructing the username token and adding it into the proxy.Credentials (the wse3 way) or the context.security.tokens (the wse2 way). You can just do this part in code. Make sense? Julie > So there's no way to set this up via policy? I was getting the impression > that I could just flip some switches to flow Windows authentication [quoted text clipped - 12 lines] >> "Username/Password" in Digest too, or roll out your own >> "UsertokenManager". as I suspected, this is the method that uses Kerberos tokens. A topic that I know very little about. julie > Hey Ambrose > [quoted text clipped - 35 lines] >>> "Username/Password" in Digest too, or roll out your own >>> "UsertokenManager". Take a look at this topic in WSE3.0 Docs: ms-help://MS.WSE30.1033/WSE3.0/html/0246eb35-4599-4fec-beea-af0419fe8926.htm One of the "turnkey" scenarios that might be close to what you're looking for is <usernameOverCertificateSecurity>. It's totally configurable via policy and it looks like UsernameToken in WSE3.0 scenarios is automatically checked against windows accounts by service for authentication purposes. The only thing to have is a server X509 installed on the client as well - this way the server is authenticated. The HOL-202 (security) that's available for download with WSE3.0 can be helpful as well. > So there's no way to set this up via policy? I was getting the impression > that I could just flip some switches to flow Windows authentication through. [quoted text clipped - 10 lines] > > "Username/Password" in Digest too, or roll out your own > > "UsertokenManager". And yes, if you're doing it over https, then it's even easier: <usernameOverTransportSecurity> - no X509 worries at all. > Take a look at this topic in WSE3.0 Docs: > ms-help://MS.WSE30.1033/WSE3.0/html/0246eb35-4599-4fec-beea-af0419fe8926.htm [quoted text clipped - 23 lines] > > > "Username/Password" in Digest too, or roll out your own > > > "UsertokenManager". Thanks to everyone. I think I've now got an idea of what I'd like to do. SignatureJ. Ambrose Little ASP.NET MVP/ASPInsider ----- Non nobis Domine non nobis sed nomini Tuo da gloriam. Free MagazinesGet these publications absolutely FREE for up to 12 months. There are no hidden fees and no obligation. Simply choose a title, complete the application form and submit it. Read more ...
|
Reply to this Message
|
 Sign In
 Join
 My Latest Posts My Monitored Threads My Blog My Photo Gallery My Profile My Homepage Start New Thread Enable EMail Alerts Rate this Thread
|
©2008 Advenet LLC Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.