Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Programming > ASP .Net > ASP .Net Security > How to call Web Service Securely

Reply
Thread Tools

How to call Web Service Securely

 
 
va
Guest
Posts: n/a
 
      02-10-2006

I love Web Apps in ASP.NET 2.0 because you can easily deny users access to
pages by role or user.

But for desktop client to webservice methods, I am not sure what to do....

I am looking for the simplest and safest method or pattern to have my
Desktop client be able to call a web services securely.

Assume my webservice proxy has 15 methods. By securely, I want the Client
desktop app to pass some kind of simple username/password token -- something
- but not in plain text - so that acces to the web call either immediately
succeeds or fails. I don't know where to start - what is the simplest and
easiest way to accomplish this and maintain it.
Thanks for any simple answers.
 
Reply With Quote
 
 
 
 
Dominick Baier [DevelopMentor]
Guest
Posts: n/a
 
      02-10-2006
Hi,

you can use IIS/integrated auth with SSL or WS:Security

Does your user have a Windows account? if yes you could simply use integrated/basic/digest
over SSL

If you want some kind of custom authentication scheme - you could handroll
it using headers or have a look at UsernameTokens in WSE3 which is a standard
implementation of passing identity information with SOAP packets.

ping me if you need more help

---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com

> I love Web Apps in ASP.NET 2.0 because you can easily deny users
> access to pages by role or user.
>
> But for desktop client to webservice methods, I am not sure what to
> do....
>
> I am looking for the simplest and safest method or pattern to have my
> Desktop client be able to call a web services securely.
>
> Assume my webservice proxy has 15 methods. By securely, I want the
> Client
> desktop app to pass some kind of simple username/password token --
> something
> - but not in plain text - so that acces to the web call either
> immediately
> succeeds or fails. I don't know where to start - what is the
> simplest and
> easiest way to accomplish this and maintain it.
> Thanks for any simple answers.



 
Reply With Quote
 
 
 
 
va
Guest
Posts: n/a
 
      02-10-2006
Dominick,

I looked at handrolling WS* but the problem I had was I didn't like having
to hardcode lookups on the server side - I was just hoping I could create
some token on the desktop side and when making the call it the service's
method woul allow or disallow.


The design is a stand-alone exe (could be on your machine) needs to make a
web method via dialup to my IIS Web Service.

I can create a User Account on the IIS server but not on the user's desktop
- the networks are unrelated. I can create my own logon screen locally of
course to get the userid and password I'll need to somehow to receive on the
other side.

Is there a way I can create a token from that userid/password and use
integrated security without having to have the standard windows login scrdeen
popoup each method call?

"Dominick Baier [DevelopMentor]" wrote:

> Hi,
>
> you can use IIS/integrated auth with SSL or WS:Security
>
> Does your user have a Windows account? if yes you could simply use integrated/basic/digest
> over SSL
>
> If you want some kind of custom authentication scheme - you could handroll
> it using headers or have a look at UsernameTokens in WSE3 which is a standard
> implementation of passing identity information with SOAP packets.
>
> ping me if you need more help
>
> ---------------------------------------
> Dominick Baier - DevelopMentor
> http://www.leastprivilege.com
>
> > I love Web Apps in ASP.NET 2.0 because you can easily deny users
> > access to pages by role or user.
> >
> > But for desktop client to webservice methods, I am not sure what to
> > do....
> >
> > I am looking for the simplest and safest method or pattern to have my
> > Desktop client be able to call a web services securely.
> >
> > Assume my webservice proxy has 15 methods. By securely, I want the
> > Client
> > desktop app to pass some kind of simple username/password token --
> > something
> > - but not in plain text - so that acces to the web call either
> > immediately
> > succeeds or fails. I don't know where to start - what is the
> > simplest and
> > easiest way to accomplish this and maintain it.
> > Thanks for any simple answers.

>
>
>

 
Reply With Quote
 
Dominick Baier [DevelopMentor]
Guest
Posts: n/a
 
      02-10-2006
Hi,

ok - as i said - you have two options:

--- #1 you create Windows users for your client on the IIS machine

you could provide a logon screen in the client app and create a NetworkCredential
from that - then use SSL and basic auth to access the web service


--- #2 you don't want the user accounts in Windows but rather some database

you could handroll some headers or use WSE (e.g. if you can't use SSL) -
you would have to provide your own authorization architecture then -

WSE3 is the first version which supports an <authorization> element for security
tokens - but that is tied to .NET 2.0


so i guess the easiest option might be #1

---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com

> Dominick,
>
> I looked at handrolling WS* but the problem I had was I didn't like
> having to hardcode lookups on the server side - I was just hoping I
> could create some token on the desktop side and when making the call
> it the service's method woul allow or disallow.
>
> The design is a stand-alone exe (could be on your machine) needs to
> make a web method via dialup to my IIS Web Service.
>
> I can create a User Account on the IIS server but not on the user's
> desktop - the networks are unrelated. I can create my own logon
> screen locally of course to get the userid and password I'll need to
> somehow to receive on the other side.
>
> Is there a way I can create a token from that userid/password and use
> integrated security without having to have the standard windows login
> scrdeen popoup each method call?
>
> "Dominick Baier [DevelopMentor]" wrote:
>
>> Hi,
>>
>> you can use IIS/integrated auth with SSL or WS:Security
>>
>> Does your user have a Windows account? if yes you could simply use
>> integrated/basic/digest over SSL
>>
>> If you want some kind of custom authentication scheme - you could
>> handroll it using headers or have a look at UsernameTokens in WSE3
>> which is a standard implementation of passing identity information
>> with SOAP packets.
>>
>> ping me if you need more help
>>
>> ---------------------------------------
>> Dominick Baier - DevelopMentor
>> http://www.leastprivilege.com
>>> I love Web Apps in ASP.NET 2.0 because you can easily deny users
>>> access to pages by role or user.
>>>
>>> But for desktop client to webservice methods, I am not sure what to
>>> do....
>>>
>>> I am looking for the simplest and safest method or pattern to have
>>> my Desktop client be able to call a web services securely.
>>>
>>> Assume my webservice proxy has 15 methods. By securely, I want the
>>> Client
>>> desktop app to pass some kind of simple username/password token --
>>> something
>>> - but not in plain text - so that acces to the web call either
>>> immediately
>>> succeeds or fails. I don't know where to start - what is the
>>> simplest and
>>> easiest way to accomplish this and maintain it.
>>> Thanks for any simple answers.



 
Reply With Quote
 
va
Guest
Posts: n/a
 
      02-10-2006
Thanks. Maybe I am complicating WSE too much - can you point me to a simple
example of WSE used with a WebMethod?

"Dominick Baier [DevelopMentor]" wrote:

> Hi,
>
> ok - as i said - you have two options:
>
> --- #1 you create Windows users for your client on the IIS machine
>
> you could provide a logon screen in the client app and create a NetworkCredential
> from that - then use SSL and basic auth to access the web service
>
>
> --- #2 you don't want the user accounts in Windows but rather some database
>
> you could handroll some headers or use WSE (e.g. if you can't use SSL) -
> you would have to provide your own authorization architecture then -
>
> WSE3 is the first version which supports an <authorization> element for security
> tokens - but that is tied to .NET 2.0
>
>
> so i guess the easiest option might be #1
>
> ---------------------------------------
> Dominick Baier - DevelopMentor
> http://www.leastprivilege.com
>
> > Dominick,
> >
> > I looked at handrolling WS* but the problem I had was I didn't like
> > having to hardcode lookups on the server side - I was just hoping I
> > could create some token on the desktop side and when making the call
> > it the service's method woul allow or disallow.
> >
> > The design is a stand-alone exe (could be on your machine) needs to
> > make a web method via dialup to my IIS Web Service.
> >
> > I can create a User Account on the IIS server but not on the user's
> > desktop - the networks are unrelated. I can create my own logon
> > screen locally of course to get the userid and password I'll need to
> > somehow to receive on the other side.
> >
> > Is there a way I can create a token from that userid/password and use
> > integrated security without having to have the standard windows login
> > scrdeen popoup each method call?
> >
> > "Dominick Baier [DevelopMentor]" wrote:
> >
> >> Hi,
> >>
> >> you can use IIS/integrated auth with SSL or WS:Security
> >>
> >> Does your user have a Windows account? if yes you could simply use
> >> integrated/basic/digest over SSL
> >>
> >> If you want some kind of custom authentication scheme - you could
> >> handroll it using headers or have a look at UsernameTokens in WSE3
> >> which is a standard implementation of passing identity information
> >> with SOAP packets.
> >>
> >> ping me if you need more help
> >>
> >> ---------------------------------------
> >> Dominick Baier - DevelopMentor
> >> http://www.leastprivilege.com
> >>> I love Web Apps in ASP.NET 2.0 because you can easily deny users
> >>> access to pages by role or user.
> >>>
> >>> But for desktop client to webservice methods, I am not sure what to
> >>> do....
> >>>
> >>> I am looking for the simplest and safest method or pattern to have
> >>> my Desktop client be able to call a web services securely.
> >>>
> >>> Assume my webservice proxy has 15 methods. By securely, I want the
> >>> Client
> >>> desktop app to pass some kind of simple username/password token --
> >>> something
> >>> - but not in plain text - so that acces to the web call either
> >>> immediately
> >>> succeeds or fails. I don't know where to start - what is the
> >>> simplest and
> >>> easiest way to accomplish this and maintain it.
> >>> Thanks for any simple answers.

>
>
>

 
Reply With Quote
 
Dominick Baier [DevelopMentor]
Guest
Posts: n/a
 
      02-10-2006
which .net version - which type of authentication (username/password against
a db??)

---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com

> Thanks. Maybe I am complicating WSE too much - can you point me to a
> simple example of WSE used with a WebMethod?
>
> "Dominick Baier [DevelopMentor]" wrote:
>
>> Hi,
>>
>> ok - as i said - you have two options:
>>
>> --- #1 you create Windows users for your client on the IIS machine
>>
>> you could provide a logon screen in the client app and create a
>> NetworkCredential from that - then use SSL and basic auth to access
>> the web service
>>
>> --- #2 you don't want the user accounts in Windows but rather some
>> database
>>
>> you could handroll some headers or use WSE (e.g. if you can't use
>> SSL) - you would have to provide your own authorization architecture
>> then -
>>
>> WSE3 is the first version which supports an <authorization> element
>> for security tokens - but that is tied to .NET 2.0
>>
>> so i guess the easiest option might be #1
>>
>> ---------------------------------------
>> Dominick Baier - DevelopMentor
>> http://www.leastprivilege.com
>>> Dominick,
>>>
>>> I looked at handrolling WS* but the problem I had was I didn't like
>>> having to hardcode lookups on the server side - I was just hoping I
>>> could create some token on the desktop side and when making the call
>>> it the service's method woul allow or disallow.
>>>
>>> The design is a stand-alone exe (could be on your machine) needs to
>>> make a web method via dialup to my IIS Web Service.
>>>
>>> I can create a User Account on the IIS server but not on the user's
>>> desktop - the networks are unrelated. I can create my own logon
>>> screen locally of course to get the userid and password I'll need to
>>> somehow to receive on the other side.
>>>
>>> Is there a way I can create a token from that userid/password and
>>> use integrated security without having to have the standard windows
>>> login scrdeen popoup each method call?
>>>
>>> "Dominick Baier [DevelopMentor]" wrote:
>>>
>>>> Hi,
>>>>
>>>> you can use IIS/integrated auth with SSL or WS:Security
>>>>
>>>> Does your user have a Windows account? if yes you could simply use
>>>> integrated/basic/digest over SSL
>>>>
>>>> If you want some kind of custom authentication scheme - you could
>>>> handroll it using headers or have a look at UsernameTokens in WSE3
>>>> which is a standard implementation of passing identity information
>>>> with SOAP packets.
>>>>
>>>> ping me if you need more help
>>>>
>>>> ---------------------------------------
>>>> Dominick Baier - DevelopMentor
>>>> http://www.leastprivilege.com
>>>>> I love Web Apps in ASP.NET 2.0 because you can easily deny users
>>>>> access to pages by role or user.
>>>>>
>>>>> But for desktop client to webservice methods, I am not sure what
>>>>> to do....
>>>>>
>>>>> I am looking for the simplest and safest method or pattern to have
>>>>> my Desktop client be able to call a web services securely.
>>>>>
>>>>> Assume my webservice proxy has 15 methods. By securely, I want
>>>>> the
>>>>> Client
>>>>> desktop app to pass some kind of simple username/password token --
>>>>> something
>>>>> - but not in plain text - so that acces to the web call either
>>>>> immediately
>>>>> succeeds or fails. I don't know where to start - what is the
>>>>> simplest and
>>>>> easiest way to accomplish this and maintain it.
>>>>> Thanks for any simple answers



 
Reply With Quote
 
va
Guest
Posts: n/a
 
      02-10-2006
Thanks
 
Reply With Quote
 
hulinning
Guest
Posts: n/a
 
      02-19-2006
Hi Dominick

What if my client application is a WinCE device, and my webservice is using
Integrate Windows Authentication mode, then what do I need to pass to my
webservice in order to authenticate.

Can I get user account from WinCE device without asking user to provide
login/password to send to webservice?




"Dominick Baier [DevelopMentor]" wrote:

> generally:
> http://msdn.microsoft.com/webservice.../building/wse/
>
> security lab:
> http://www.microsoft.com/downloads/d...displaylang=en
>
> ---------------------------------------
> Dominick Baier - DevelopMentor
> http://www.leastprivilege.com
>
> > .NET 2.0. WSE to Database example would be fine.
> >

>
>
>

 
Reply With Quote
 
Dominick Baier [DevelopMentor]
Guest
Posts: n/a
 
      02-19-2006
Hi,

prolly not...

but i am not a WinCE expert (in fact i never touched such a device) -sorry.

---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com

> Hi Dominick
>
> What if my client application is a WinCE device, and my webservice is
> using Integrate Windows Authentication mode, then what do I need to
> pass to my webservice in order to authenticate.
>
> Can I get user account from WinCE device without asking user to
> provide login/password to send to webservice?
>
> "Dominick Baier [DevelopMentor]" wrote:
>
>> generally:
>> http://msdn.microsoft.com/webservice.../building/wse/
>> security lab:
>> http://www.microsoft.com/downloads/d...d=9acd1f8e-97e
>> 2-43e2-b484-a74a014a8206&displaylang=en
>> ---------------------------------------
>> Dominick Baier - DevelopMentor
>> http://www.leastprivilege.com
>>> .NET 2.0. WSE to Database example would be fine.
>>>



 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Re: How include a large array? Edward A. Falk C Programming 1 04-04-2013 08:07 PM
Expose firewall protected web apps and web services to the INTERNET securely and cost-effectively doron.grinstein@gmail.com ASP .Net 0 02-14-2007 05:53 AM
InvocationTargetException when calling "new Service()" in Axis web service to call another web service Michael Averstegge Java 0 01-10-2006 11:05 PM
using a web service securely Tim Zych ASP .Net 1 08-29-2005 04:43 AM
securely setting up a web server on my home network Calvin Crumrine Computer Information 24 01-16-2004 05:04 PM



Advertisments