Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Programming > ASP .Net > Web services and security

Reply
Thread Tools

Web services and security

 
 
Smokey Grindle
Guest
Posts: n/a
 
      04-23-2007
I want to make a security system in my webservice similar to the one that
reporting services uses it has a logon user and logoff user web method...
when you log on it logs you into a session and maintains your logged in
status until you log off or timeout... I dont want to have to pass
username/pass back and forth each time I call a method... I want to use
sessions and I need a custom authentication and authorization method for our
service (its how we defined it to work) how would you go about doing this?
In reporting services it uses a web service to do it in this order

Connect to web service with no IIS authentication
Log into Web service via a public webmethod called LogonUser
Webservice consumer has a cookier container and credentials set to
CrentialCache.DefaultNetworkCredentials

user logs on, all web methods now run as that user until user timesout or
calls LogOffUser

any ideas on how to do this? its basically like forms authentication just in
a web service and no login form... thanks!


 
Reply With Quote
 
 
 
 
Cowboy \(Gregory A. Beamer\)
Guest
Posts: n/a
 
      04-23-2007
A better option is to use WSE 3.0 (WS-Security). You can attach an 509
certificate, which will be more secure, and have less overhead, than adding
a session to the web service. It is also standards based, which allows you
to dupe the methodology for systems that have to be contacted from Java
(example).

--
Gregory A. Beamer
MVP; MCP: +I, SE, SD, DBA
http://gregorybeamer.spaces.live.com

*********************************************
Think outside the box!
*********************************************
"Smokey Grindle" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
>I want to make a security system in my webservice similar to the one that
>reporting services uses it has a logon user and logoff user web method...
>when you log on it logs you into a session and maintains your logged in
>status until you log off or timeout... I dont want to have to pass
>username/pass back and forth each time I call a method... I want to use
>sessions and I need a custom authentication and authorization method for
>our service (its how we defined it to work) how would you go about doing
>this? In reporting services it uses a web service to do it in this order
>
> Connect to web service with no IIS authentication
> Log into Web service via a public webmethod called LogonUser
> Webservice consumer has a cookier container and credentials set to
> CrentialCache.DefaultNetworkCredentials
>
> user logs on, all web methods now run as that user until user timesout or
> calls LogOffUser
>
> any ideas on how to do this? its basically like forms authentication just
> in a web service and no login form... thanks!
>


 
Reply With Quote
 
 
 
 
Smokey Grindle
Guest
Posts: n/a
 
      04-23-2007
wouldnt each client require an X509 cert on their machine though?

"Cowboy (Gregory A. Beamer)" <(E-Mail Removed)> wrote in
message news:(E-Mail Removed)...
>A better option is to use WSE 3.0 (WS-Security). You can attach an 509
>certificate, which will be more secure, and have less overhead, than
>adding a session to the web service. It is also standards based, which
>allows you to dupe the methodology for systems that have to be contacted
>from Java (example).
>
> --
> Gregory A. Beamer
> MVP; MCP: +I, SE, SD, DBA
> http://gregorybeamer.spaces.live.com
>
> *********************************************
> Think outside the box!
> *********************************************
> "Smokey Grindle" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed)...
>>I want to make a security system in my webservice similar to the one that
>>reporting services uses it has a logon user and logoff user web method...
>>when you log on it logs you into a session and maintains your logged in
>>status until you log off or timeout... I dont want to have to pass
>>username/pass back and forth each time I call a method... I want to use
>>sessions and I need a custom authentication and authorization method for
>>our service (its how we defined it to work) how would you go about doing
>>this? In reporting services it uses a web service to do it in this order
>>
>> Connect to web service with no IIS authentication
>> Log into Web service via a public webmethod called LogonUser
>> Webservice consumer has a cookier container and credentials set to
>> CrentialCache.DefaultNetworkCredentials
>>
>> user logs on, all web methods now run as that user until user timesout or
>> calls LogOffUser
>>
>> any ideas on how to do this? its basically like forms authentication just
>> in a web service and no login form... thanks!
>>

>



 
Reply With Quote
 
Cowboy \(Gregory A. Beamer\)
Guest
Posts: n/a
 
      04-23-2007
Yes, but getting the cert can be part of the sign up procedure for the
application. This can be highly encapsuluated on a SmartClient application.
There are other, less secure, methods in WS-Security.

You can also generate keys for users after they have established a session
and pass that key (initially null) with each subsequent request. This will
require a custom authentication/session framework, but it is doable. I
currently use a key on one set of web services, but it was one that had to
be thrown up quickly, sits behind SSL and I control the clients (which are
other web apps on another domain), so I am not that worried about security.

As a slight alteration, you can send user login info every time and store
the current session completely on the backend. As this requires a user's
login, you will have to use SSL. If you are using a Smart Client and would
like to hide this, you can have them login via a web service and have it
return session token. If you use a custom method, you can keep the "session"
alive on the server side as long as you want. Just make sure it eventually
times out and the app logs it out when they shut it down. Do not trust users
to end session.

--
Gregory A. Beamer
MVP; MCP: +I, SE, SD, DBA
http://gregorybeamer.spaces.live.com

*********************************************
Think outside the box!
*********************************************
"Smokey Grindle" <(E-Mail Removed)> wrote in message
news:uxyN%(E-Mail Removed)...
> wouldnt each client require an X509 cert on their machine though?
>
> "Cowboy (Gregory A. Beamer)" <(E-Mail Removed)> wrote in
> message news:(E-Mail Removed)...
>>A better option is to use WSE 3.0 (WS-Security). You can attach an 509
>>certificate, which will be more secure, and have less overhead, than
>>adding a session to the web service. It is also standards based, which
>>allows you to dupe the methodology for systems that have to be contacted
>>from Java (example).
>>
>> --
>> Gregory A. Beamer
>> MVP; MCP: +I, SE, SD, DBA
>> http://gregorybeamer.spaces.live.com
>>
>> *********************************************
>> Think outside the box!
>> *********************************************
>> "Smokey Grindle" <(E-Mail Removed)> wrote in message
>> news:(E-Mail Removed)...
>>>I want to make a security system in my webservice similar to the one that
>>>reporting services uses it has a logon user and logoff user web method...
>>>when you log on it logs you into a session and maintains your logged in
>>>status until you log off or timeout... I dont want to have to pass
>>>username/pass back and forth each time I call a method... I want to use
>>>sessions and I need a custom authentication and authorization method for
>>>our service (its how we defined it to work) how would you go about doing
>>>this? In reporting services it uses a web service to do it in this order
>>>
>>> Connect to web service with no IIS authentication
>>> Log into Web service via a public webmethod called LogonUser
>>> Webservice consumer has a cookier container and credentials set to
>>> CrentialCache.DefaultNetworkCredentials
>>>
>>> user logs on, all web methods now run as that user until user timesout
>>> or calls LogOffUser
>>>
>>> any ideas on how to do this? its basically like forms authentication
>>> just in a web service and no login form... thanks!
>>>

>>

>
>


 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Start Web services as Windows Services start Anup ASP .Net 1 05-09-2006 11:44 AM
How .NET web services client handles exceptions from Java web services? John ASP .Net Web Services 4 03-31-2006 10:13 PM
.NET 2.0 Membership services and Web Services va ASP .Net Security 0 02-12-2006 11:09 PM
What is the difference between C# windows Services and web services in vs.net? Nick ASP .Net 1 09-12-2005 02:33 PM
how to implement Services Interface Tier (web services) Szymi MCSD 0 11-03-2003 10:50 AM



Advertisments