 |
 | Home | Contact Us | FAQ | Search & Site Map | Link to Us |
 | Sign In | Join | Other 45 Sites in Network |
.NET Forum / Windows Forms / WinForm Controls / November 2004Embedded UserControl accessing ws-security web service
I have a UserControl embedded in an aspx page that needs to access a ws-security enabled web service. The web service requires an encrypted UsernameToken in the soap headers and authenticates on every call. Use case: User enters username/password into login.aspx page over https. If authenticated, a session is created for the user and the user's userName is added to the session. User accesses the application over http and the presence of a session grants them access. When they open a page with my embedded user control the control needs to call the web service and pass their credentials. Problem: I need to be able to get the user's credentials into the UserControl embedded in the web page. And I need to do it securely. Is this possible? Passing the credentials in the clear into the control via the object tag params is insecure. I could "encrypt" the credentials with a 3DES and a hardcoded key and use them in the object tag parameters for init, but this is not secure because anyone with the userControl can decrypt the credentials. Anyone have any ideas?? >I have a UserControl embedded in an aspx page that needs to access a >ws-security enabled web service. [quoted text clipped - 21 lines] > >Anyone have any ideas?? I'm sorry, but I don't seem to get the point, perhaps I'm too stupid (you'd never know).. Anyway, first off all; you already have a https session (secured), so why is it insecure to post data onto a UserControl using https? Just make sure all pages are https:// Second, you could use the Session Object, that's server side, so nobody would even know where to retrieve the userinformation. You don't even have to use the UserControl to post the credentials to the WS, but you could use the code-behind. When you're not sure the Session variables aren't posted back to the client put all "EnableViewState"'s to false and no info is posted back to the client; you would limit the potential, but that's another issue. Third, you could try to create a single-page application. Just one WebForm, all your controls onto that form and handle all visible stuff with this.FindControl(myControlName).Visible = false; // or true for that matter And this instance it's secured through the https protocol, you wouldn't even have to use the Session-object, but you could keep all information in private static [string?] values. Just some ideas... Leon > >I have a UserControl embedded in an aspx page that needs to access a > >ws-security enabled web service. [quoted text clipped - 27 lines] > why is it insecure to post data onto a UserControl using https? Just > make sure all pages are https:// Not all pages are https. Unfortunately. > Second, you could use the Session Object, that's server side, so > nobody would even know where to retrieve the userinformation. You [quoted text clipped - 3 lines] > "EnableViewState"'s to false and no info is posted back to the client; > you would limit the potential, but that's another issue. The user control accesses the web service directly and never posts to the web server that served up the control. So all the view state stuff is not an issue and there is no code behind. > Third, you could try to create a single-page application. Just one > WebForm, all your controls onto that form and handle all visible stuff [quoted text clipped - 4 lines] > wouldn't even have to use the Session-object, but you could keep all > information in private static [string?] values. I really don't understand that suggestion. > Just some ideas... > > Leon Thanks for your help. The question is basically: "How does a hosted user control (client side like ActiveX not a web user control) get the credentials to pass to ws-security enabled web services." Here is an example of an insecure way of doing it. <object id="viewer" height="900" width="900" classid="Test.dll#Test.TestControl"> <param name="username" value="user"> <param name="password" value="password"> </object >> Third, you could try to create a single-page application. Just one >> WebForm, all your controls onto that form and handle all visible stuff [quoted text clipped - 20 lines] > <param name="password" value="password"> ></object> Ahh, but that's not what I thought it was; I thought you ment a Web User Control, not like this. In this case, I haven't got a clue what to do ;-) Anyway what I ment by creating a "single-page-application", not that it's a solution to your problem, is one page with all WebUserControls onto that one, so every page you call is actually the same page, except with different visible WebUserControls (can be handled from the code-behind). But then again: that's no solution to your question. Leon. Free MagazinesGet these publications absolutely FREE for up to 12 months. There are no hidden fees and no obligation. Simply choose a title, complete the application form and submit it. Read more ...
|
Reply to this Message
|
 Sign In
 Join
 My Latest Posts My Monitored Threads My Blog My Photo Gallery My Profile My Homepage Start New Thread Enable EMail Alerts Rate this Thread
|
©2008 Advenet LLC Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.