Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Programming > ASP .Net > ASP .Net Web Services > X509 and UserName/Pass in SOAP header?

Reply
Thread Tools

X509 and UserName/Pass in SOAP header?

 
 
cootmonster
Guest
Posts: n/a
 
      03-15-2007
planning on using a X509 cert to validate that a business client is who they
say they are. After we authenticate client, then we need a username and
password to authorize users permissions. Should we store this in the SOAP
header or just as part of the XML message structure?


 
Reply With Quote
 
 
 
 
Cowboy \(Gregory A. Beamer\)
Guest
Posts: n/a
 
      03-26-2007
I am missing something here.

You are using X.509 certs and then having login information? Are you not
issuing individual certs to each client/user? The only potential I can think
of that makes sense is distributed security (each app has same user base?).
If so, move the user base to its own service and link it to the X.509 there.
You can then call the service to identify the user. Yes, this slows things
down a bit, but SOA is about reuse more than performance (although the
latency is not generally that bad if these are all internal apps and the
maintainability shoots through the roof).

--
Gregory A. Beamer
MVP; MCP: +I, SE, SD, DBA

*********************************************
Think outside the box!
*********************************************
"cootmonster" <(E-Mail Removed)> wrote in message
news(E-Mail Removed)...
> planning on using a X509 cert to validate that a business client is who
> they
> say they are. After we authenticate client, then we need a username and
> password to authorize users permissions. Should we store this in the SOAP
> header or just as part of the XML message structure?
>
>


 
Reply With Quote
 
 
 
 
cootmonster
Guest
Posts: n/a
 
      03-28-2007
The reason for the cert and user/pass I believe is this...

We are giving the capability of a 3rd party company to interface to our web
service. They will be distributing their software to their clients. So what
I thought we would have to do is use a cert to verify that it is from the 3rd
party software vendor, then use a username/password to authorize the actual
user on our system.

Does this make sense or is it overkill?


"Cowboy (Gregory A. Beamer)" wrote:

> I am missing something here.
>
> You are using X.509 certs and then having login information? Are you not
> issuing individual certs to each client/user? The only potential I can think
> of that makes sense is distributed security (each app has same user base?).
> If so, move the user base to its own service and link it to the X.509 there.
> You can then call the service to identify the user. Yes, this slows things
> down a bit, but SOA is about reuse more than performance (although the
> latency is not generally that bad if these are all internal apps and the
> maintainability shoots through the roof).
>
> --
> Gregory A. Beamer
> MVP; MCP: +I, SE, SD, DBA
>
> *********************************************
> Think outside the box!
> *********************************************
> "cootmonster" <(E-Mail Removed)> wrote in message
> news(E-Mail Removed)...
> > planning on using a X509 cert to validate that a business client is who
> > they
> > say they are. After we authenticate client, then we need a username and
> > password to authorize users permissions. Should we store this in the SOAP
> > header or just as part of the XML message structure?
> >
> >

>
>

 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Using X509 (and TLSlite) authentication Chaz Ginger Python 0 04-17-2007 01:44 PM
JavaScript and X509 Certificates .. help !! paxtra@gmail.com Javascript 0 08-17-2006 06:43 AM
Java and X509 Certificates .. help!! paxtra Java 0 08-17-2006 06:42 AM
Signing SOAP Message with X509 certificate error-The handle is inv Ele ASP .Net Web Services 0 01-19-2005 06:39 PM
Keyset does not exist at Microsoft.Web.Services.Security.X509.X509 Keyset does not exist X509Certificate ASP .Net Web Services 0 06-12-2004 01:07 AM



Advertisments