Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Programming > ASP .Net > ASP .Net Web Services > WS-Security Best Practice?

Reply
Thread Tools

WS-Security Best Practice?

 
 
Brian Greiwe
Guest
Posts: n/a
 
      01-29-2004
I'm new to Webservices, but nonetheless have taken the leap!

I have a ws I'm writing that will be used in a subscription. Nothing
huge or confidential. The client will pass in standard parms and get
back a data string. There is no need for the return value to be
encrypted/protected/etc, as it does not contain any private data.

However, I want to ensure that the caller has priveleges to the
service...based on a subscription. Basically, I want to verify the
caller is who they say they are, and preferable make it so they can't
simply give away their username and password to a buddy and in essence
giving someone else a free subscription.

Any advice on the best approach here? I've read many blogs, postings,
and white papers...from custom made db security to WS-Security, to WSE
2.0. I'm looking for the best performance and cost effective
solution.

Any input and advice is welcomed!!!

Thanks,
Brian
 
Reply With Quote
 
 
 
 
Jan Tielens
Guest
Posts: n/a
 
      01-30-2004
Do you want to use your web service in a intranet, or through the internet?
The easiest solution is using integrated Windows authentication, but it will
only work in an intranet envirionment.

--
Greetz

Jan Tielens
________________________________
Read my weblog: http://weblogs.asp.net/jan


"Brian Greiwe" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed) om...
> I'm new to Webservices, but nonetheless have taken the leap!
>
> I have a ws I'm writing that will be used in a subscription. Nothing
> huge or confidential. The client will pass in standard parms and get
> back a data string. There is no need for the return value to be
> encrypted/protected/etc, as it does not contain any private data.
>
> However, I want to ensure that the caller has priveleges to the
> service...based on a subscription. Basically, I want to verify the
> caller is who they say they are, and preferable make it so they can't
> simply give away their username and password to a buddy and in essence
> giving someone else a free subscription.
>
> Any advice on the best approach here? I've read many blogs, postings,
> and white papers...from custom made db security to WS-Security, to WSE
> 2.0. I'm looking for the best performance and cost effective
> solution.
>
> Any input and advice is welcomed!!!
>
> Thanks,
> Brian



 
Reply With Quote
 
 
 
 
Brian Greiwe
Guest
Posts: n/a
 
      01-30-2004
This is intended to be provided over the internet on a subscription
basis. So, no not intranet, which I guess rules out Windows
Authentication.

"Jan Tielens" <(E-Mail Removed)> wrote in message news:<(E-Mail Removed)>...
> Do you want to use your web service in a intranet, or through the internet?
> The easiest solution is using integrated Windows authentication, but it will
> only work in an intranet envirionment.
>
> --
> Greetz
>
> Jan Tielens
> ________________________________
> Read my weblog: http://weblogs.asp.net/jan
>
>
> "Brian Greiwe" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed) om...
> > I'm new to Webservices, but nonetheless have taken the leap!
> >
> > I have a ws I'm writing that will be used in a subscription. Nothing
> > huge or confidential. The client will pass in standard parms and get
> > back a data string. There is no need for the return value to be
> > encrypted/protected/etc, as it does not contain any private data.
> >
> > However, I want to ensure that the caller has priveleges to the
> > service...based on a subscription. Basically, I want to verify the
> > caller is who they say they are, and preferable make it so they can't
> > simply give away their username and password to a buddy and in essence
> > giving someone else a free subscription.
> >
> > Any advice on the best approach here? I've read many blogs, postings,
> > and white papers...from custom made db security to WS-Security, to WSE
> > 2.0. I'm looking for the best performance and cost effective
> > solution.
> >
> > Any input and advice is welcomed!!!
> >
> > Thanks,
> > Brian

 
Reply With Quote
 
Jan Tielens
Guest
Posts: n/a
 
      01-31-2004
A common used solution is to put a username/password (or ticket) in the soap
header. Here are some links:

http://www.codeproject.com/cs/webser...asp#xx561031xx

http://msdn.microsoft.com/library/de...ce06182002.asp



--
Greetz,
Jan
__________________________________
Read my weblog: http://weblogs.asp.net/jan
"Brian Greiwe" <(E-Mail Removed)> schreef in bericht
news:(E-Mail Removed) om...
> This is intended to be provided over the internet on a subscription
> basis. So, no not intranet, which I guess rules out Windows
> Authentication.
>
> "Jan Tielens" <(E-Mail Removed)> wrote in message

news:<(E-Mail Removed)>...
> > Do you want to use your web service in a intranet, or through the

internet?
> > The easiest solution is using integrated Windows authentication, but it

will
> > only work in an intranet envirionment.
> >
> > --
> > Greetz
> >
> > Jan Tielens
> > ________________________________
> > Read my weblog: http://weblogs.asp.net/jan
> >
> >
> > "Brian Greiwe" <(E-Mail Removed)> wrote in message
> > news:(E-Mail Removed) om...
> > > I'm new to Webservices, but nonetheless have taken the leap!
> > >
> > > I have a ws I'm writing that will be used in a subscription. Nothing
> > > huge or confidential. The client will pass in standard parms and get
> > > back a data string. There is no need for the return value to be
> > > encrypted/protected/etc, as it does not contain any private data.
> > >
> > > However, I want to ensure that the caller has priveleges to the
> > > service...based on a subscription. Basically, I want to verify the
> > > caller is who they say they are, and preferable make it so they can't
> > > simply give away their username and password to a buddy and in essence
> > > giving someone else a free subscription.
> > >
> > > Any advice on the best approach here? I've read many blogs, postings,
> > > and white papers...from custom made db security to WS-Security, to WSE
> > > 2.0. I'm looking for the best performance and cost effective
> > > solution.
> > >
> > > Any input and advice is welcomed!!!
> > >
> > > Thanks,
> > > Brian



 
Reply With Quote
 
Brian Greiwe
Guest
Posts: n/a
 
      02-05-2004
Jan -

Thanks for all the information. I've begun implementing the SOAP
headers and it makes sense, however, it is obvious that users could
simply pass off their usernames and passwords to others and then
"foil" the subscription. Is there a way to validate the origin? Say
capturing the IP address or anything?

Thanks,
Brian
 
Reply With Quote
 
Jan Tielens
Guest
Posts: n/a
 
      02-06-2004
Sure you can get the IP address of the computer that is calling.
this.Context.Request.ServerVariables["REMOTE_ADDR"]

Or you could use client and server side certificates to make it even more
secure.

--
Greetz

Jan Tielens
________________________________
Read my weblog: http://weblogs.asp.net/jan


"Brian Greiwe" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed) om...
> Jan -
>
> Thanks for all the information. I've begun implementing the SOAP
> headers and it makes sense, however, it is obvious that users could
> simply pass off their usernames and passwords to others and then
> "foil" the subscription. Is there a way to validate the origin? Say
> capturing the IP address or anything?
>
> Thanks,
> Brian



 
Reply With Quote
 
Brian Greiwe
Guest
Posts: n/a
 
      02-09-2004
Jan -

Thanks again for the help.

I just read your article on MSDN on throwing Soap exceptions, so I
wanted to tie that into my validation.

Right now, my validation method (AuthenticateCall) has dual levels of
try/catch (one for the exception and one for the SOAP).

Since AuthenticateCall will be called from within each web method, do
I need to remove the SOAP exception from within the AuthenticateCall
and trap it at the top level? Or keep it there and mimic it again at
the top level call? I just wante do make sure that I can pass back
any appropriate messages for failures (first for authentication, and
secondly for any actual method/data failure).

thanks,
Brian

"Jan Tielens" <(E-Mail Removed)> wrote in message news:<(E-Mail Removed)>...
> Sure you can get the IP address of the computer that is calling.
> this.Context.Request.ServerVariables["REMOTE_ADDR"]
>
> Or you could use client and server side certificates to make it even more
> secure.
>
> --
> Greetz
>
> Jan Tielens
> ________________________________
> Read my weblog: http://weblogs.asp.net/jan
>
>
> "Brian Greiwe" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed) om...
> > Jan -
> >
> > Thanks for all the information. I've begun implementing the SOAP
> > headers and it makes sense, however, it is obvious that users could
> > simply pass off their usernames and passwords to others and then
> > "foil" the subscription. Is there a way to validate the origin? Say
> > capturing the IP address or anything?
> >
> > Thanks,
> > Brian

 
Reply With Quote
 
Brian Greiwe
Guest
Posts: n/a
 
      02-10-2004
Never mind - answered my own question. Thanks though!

http://www.velocityreviews.com/forums/(E-Mail Removed) (Brian Greiwe) wrote in message news:<(E-Mail Removed). com>...
> Jan -
>
> Thanks again for the help.
>
> I just read your article on MSDN on throwing Soap exceptions, so I
> wanted to tie that into my validation.
>
> Right now, my validation method (AuthenticateCall) has dual levels of
> try/catch (one for the exception and one for the SOAP).
>
> Since AuthenticateCall will be called from within each web method, do
> I need to remove the SOAP exception from within the AuthenticateCall
> and trap it at the top level? Or keep it there and mimic it again at
> the top level call? I just wante do make sure that I can pass back
> any appropriate messages for failures (first for authentication, and
> secondly for any actual method/data failure).
>
> thanks,
> Brian
>
> "Jan Tielens" <(E-Mail Removed)> wrote in message news:<(E-Mail Removed)>...
> > Sure you can get the IP address of the computer that is calling.
> > this.Context.Request.ServerVariables["REMOTE_ADDR"]
> >
> > Or you could use client and server side certificates to make it even more
> > secure.
> >
> > --
> > Greetz
> >
> > Jan Tielens
> > ________________________________
> > Read my weblog: http://weblogs.asp.net/jan
> >
> >
> > "Brian Greiwe" <(E-Mail Removed)> wrote in message
> > news:(E-Mail Removed) om...
> > > Jan -
> > >
> > > Thanks for all the information. I've begun implementing the SOAP
> > > headers and it makes sense, however, it is obvious that users could
> > > simply pass off their usernames and passwords to others and then
> > > "foil" the subscription. Is there a way to validate the origin? Say
> > > capturing the IP address or anything?
> > >
> > > Thanks,
> > > Brian

 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Canon wins Award for Best Professional D-SLR, best Prosumer D-SLR (EOS 1Ds, EOS-10D) George Preddy Digital Photography 3 05-24-2004 03:29 AM
Where is best place for best price buying Mobo & CPU combo? Arawak Computer Support 6 02-05-2004 04:46 PM
Viewers are the best albums! Best digital photo & picture organizing Morgan Ohlson Digital Photography 8 01-05-2004 09:25 PM
Re: Best Buy No Longer A "Best" Buy - At Least Not At Brooklyn NYC Store Mike & Jane Digital Photography 5 08-15-2003 12:57 AM
Best sample app for learning best practices, OO & asp.net? karim ASP .Net 0 07-13-2003 04:26 AM



Advertisments