B2B authorization/authentication with IP and username/password

[c676228]

Hi all,

When sending data for our server to process(via request and response B2B),
One of our clients wants us to implement a combination of IP address and
username/password to guarantee that no other entity can call the API to
imperosnate the client. I am wondering why this needs to be restricted since
nobody will give sales credits to somebody else.

If there are many good reasons to do so, what is the easiest/good way to
implement it?

 

[Steven Cheng]

Hi Betty,

From your description, you're encountering a problem with implemeting a
username/password + IP authentication component for your client application
which will communicate with a B2B server ,correct?

Based on my experience, there are some public standard authentication
schemas that are used in many distributed comunication components such as
WCF, webservice. I'm not sure whether the authentication schema you
mentioned is one of them. Is it possible for your service side to provide
some more information about the authention schema?

If there is anything I've omited , please feel free to let me know.

Regards,

Steven Cheng

Microsoft MSDN Online Support Lead


Delighting our customers is our #1 priority. We welcome your comments and
suggestions about how we can improve the support we provide to you. Please
feel free to let my manager know what you think of the level of service
provided. You can send feedback directly to my manager at:
(e-mail address removed).

==================================================
Get notification to my posts through email? Please refer to
http://msdn.microsoft.com/en-us/subscriptions/aa948868.aspx#notifications.

--------------------

 

[c676228]

Hi Steve,

I like the way that you always confirm the question before you answser my
questions.

First of all, my B2B application is very simple. I usually call it a
simplified B2B application. It doesn't use asp.net, it is classic asp. Second
it doesn't use SOAP. It is just a simple request/response web application(The
request/response data are in XML format, transported via https). Third it
doesn't interact various
platform and it doesn't have any authentication schema. In this case, I
don't know what authentication schema I should use or if it is feasible or
not?
Our client sends us a data file(customers' purchase data) in XML format and
our web application just processes the credit card/data and delivers the
confirmation.

WCF/Webservice might be too complicated for this small application?
Is there any other simplified authentication implementation?


--
Betty

Hi Betty,

From your description, you're encountering a problem with implemeting a
username/password + IP authentication component for your client application
which will communicate with a B2B server ,correct?

Based on my experience, there are some public standard authentication
schemas that are used in many distributed comunication components such as
WCF, webservice. I'm not sure whether the authentication schema you
mentioned is one of them. Is it possible for your service side to provide
some more information about the authention schema?

If there is anything I've omited , please feel free to let me know.

Regards,

Steven Cheng

Microsoft MSDN Online Support Lead


Delighting our customers is our #1 priority. We welcome your comments and
suggestions about how we can improve the support we provide to you. Please
feel free to let my manager know what you think of the level of service
provided. You can send feedback directly to my manager at:
(e-mail address removed).

==================================================
Get notification to my posts through email? Please refer to
http://msdn.microsoft.com/en-us/subscriptions/aa948868.aspx#notifications.

--------------------

 

[Steven Cheng]

Thanks for your reply Betty,

Well, so based on your further description, I think so far there is no hard
requirement on the authentication schema and your application is just a
service which will accept some input(may contain credit card and some other
data) from client consumers over http.

As you mentioned that https protocol will be used, is it used for all the
convesation between the client and your service(those involve sensitive
data transfer). If so, I think using https/ssl transport layer protection
is enough and you can just define a custom XML format for the
authentication info. For example, you can let the client consumer supply
the username/password info as part of the entire http message.e.g.

===========
<Message>
....other data

<authentication>
<username>....</username>
<password>...</password>
.....
=============

and you just rely on the HTTPS transport layer to help provide the message
security. Is there any other concerns on this?

Sincerely,

Steven Cheng

Microsoft MSDN Online Support Lead


Delighting our customers is our #1 priority. We welcome your comments and
suggestions about how we can improve the support we provide to you. Please
feel free to let my manager know what you think of the level of service
provided. You can send feedback directly to my manager at:
(e-mail address removed).

==================================================
Get notification to my posts through email? Please refer to
http://msdn.microsoft.com/en-us/subscriptions/aa948868.aspx#notifications.

--------------------

From: =?Utf-8?B?YzY3NjIyOA==?= <[email protected]>
References: <[email protected]>

Subject: RE: B2B authorization/authentication with IP and username/password
Date: Thu, 19 Feb 2009 09:23:04 -0800

Hi Steve,

I like the way that you always confirm the question before you answser my
questions.

First of all, my B2B application is very simple. I usually call it a
simplified B2B application. It doesn't use asp.net, it is classic asp. Second
it doesn't use SOAP. It is just a simple request/response web application(The
request/response data are in XML format, transported via https). Third it
doesn't interact various
platform and it doesn't have any authentication schema. In this case, I
don't know what authentication schema I should use or if it is feasible or
not?
Our client sends us a data file(customers' purchase data) in XML format and
our web application just processes the credit card/data and delivers the
confirmation.

WCF/Webservice might be too complicated for this small application?
Is there any other simplified authentication implementation?

 

[c676228]

Steve,

Thanks.
that's the way I am thinking too. but I also want to check the IP from our
client,(not visitors/users' IPs) who makes the request(submit the data). But
I am not sure the code:

Request.ServerVariables("REMOTE_ADDR")

is returning client's IP address or the visitor's IP.

Assuming our client has a static IP and I want to get this IP everytime a
request is made. If it is the IP we expected, then our server processes it.
Sounds like a possible solution?

 

[Steven Cheng]

Thanks for your reply Betty,

Well, as for the "Assuming our client has a static IP", do you mean that
there is no intermediate proxy or NAT protection? If so, I think you can
use "Request.ServerVariables("REMOTE_ADDR")" to get the client's
machine(running the browser)'s IP. Otherwise, if there is any potential
proxy server between the client and your server,
"Request.ServerVariables("REMOTE_ADDR")" is not quite reliable.

Sincerely,

Steven Cheng

Microsoft MSDN Online Support Lead


Delighting our customers is our #1 priority. We welcome your comments and
suggestions about how we can improve the support we provide to you. Please
feel free to let my manager know what you think of the level of service
provided. You can send feedback directly to my manager at:
(e-mail address removed).

==================================================
Get notification to my posts through email? Please refer to
http://msdn.microsoft.com/en-us/subscriptions/aa948868.aspx#notifications.

--------------------

 

[c676228]

Steve,

If "Request.ServerVariables("REMOTE_ADDR")" is not quite reliable,
I am not going to use it then.

If there is a proxy or NAT protection, then there is no way I can tell
what is our client server's IP addresses?

Is there any other ways?

 

[Anthony Jones]

Steve,

If "Request.ServerVariables("REMOTE_ADDR")" is not quite reliable,
I am not going to use it then.

If there is a proxy or NAT protection, then there is no way I can tell
what is our client server's IP addresses?

Is there any other ways?

To clarify, typically your client will be using a static public IP address
to access the internet, its this IP address that is seen by your network.
Some ISPs providing access to the internet to private individuals have
resorted to proxy/NAT solutions so that multiple subscribers may be seen as
a single IP address by the rest of the world but that is rare and highly
unlikely for corporate subscribers.

So the issue really is with your own network, if you have a reverse proxy on
your network between your web server and your public internet access then
your web server may see the internal IP address of the proxy rather than the
true address of the external client.

Hence if you do not have a reverse proxy, in all likely hood REMOTE_ADDR is
the public IP address of your client.

Note you can configure security by restricting access to specific IP
addresses on the security tab of a file or directory in IIS manager so it
may be that you needn't write code to do this.

 

[Steven Cheng]

Thanks for your reply Betty,

I'm afraid for http html based web application, there is no much good means
for us to get the exact IP (reliable) of client-side. If this is very
critical for your server application(those want to acquire some important
or sensitive data) on client-side, the common approach is use rich client
component(e.g. ActiveX control). That's also what all the online banking or
ebusiness sytsem use.

Sincerely,

Steven Cheng

Microsoft MSDN Online Support Lead


Delighting our customers is our #1 priority. We welcome your comments and
suggestions about how we can improve the support we provide to you. Please
feel free to let my manager know what you think of the level of service
provided. You can send feedback directly to my manager at:
(e-mail address removed).

--------------------

 

[c676228]

thank you so much Anthony. that's very good information.

 

[c676228]

Steve,

I will keep that in mind. Thanks for your input. I will post some other
questions on asp.net soon. keep an eye out there. )

 

[Steven Cheng]

Thanks for your followup Betty,

Have a nice day!

Sincerely,

Steven Cheng

Microsoft MSDN Online Support Lead

 

[一刀]

Hi all,

When sending data for our server to process(via request and responseB2B),
One of our clients wants us to implement a combination of IP address and
username/password to guarantee that no other entity can call the API to
imperosnate the client. I am wondering why this needs to be restricted since
nobody will give sales credits to somebody else.

If there are many good reasons to do so, what is the easiest/good way to
implement it?

Pleased to serve you here,I'm the salesman No.06
we are the sincere sport series supplier. We wholesale these
products ,To establish business with you will be my pleasure ,so we
also need some sincere buyer to establish longterm business.
We have good quality and reasonable price ,we’ll try our best to doit
best .
We can offer the shoes you need ,please don't hesitate to visit our
website, you'll get the shoes you want. then ,sent me the ID of these
shoes, I'll give you the quotation asap .It will be competitivie price
in this market ,and I'll do my best to serve you .some more
discount ,please contact with us.

www.nikepicking.com
MSN :[email protected]