How to call Web Service Securely

Discussion in 'ASP .Net Security' started by va, Feb 10, 2006.

  1. va

    va Guest

    I love Web Apps in ASP.NET 2.0 because you can easily deny users access to
    pages by role or user.

    But for desktop client to webservice methods, I am not sure what to do....

    I am looking for the simplest and safest method or pattern to have my
    Desktop client be able to call a web services securely.

    Assume my webservice proxy has 15 methods. By securely, I want the Client
    desktop app to pass some kind of simple username/password token -- something
    - but not in plain text - so that acces to the web call either immediately
    succeeds or fails. I don't know where to start - what is the simplest and
    easiest way to accomplish this and maintain it.
    Thanks for any simple answers.
    va, Feb 10, 2006
    #1
    1. Advertising

  2. Hi,

    you can use IIS/integrated auth with SSL or WS:Security

    Does your user have a Windows account? if yes you could simply use integrated/basic/digest
    over SSL

    If you want some kind of custom authentication scheme - you could handroll
    it using headers or have a look at UsernameTokens in WSE3 which is a standard
    implementation of passing identity information with SOAP packets.

    ping me if you need more help

    ---------------------------------------
    Dominick Baier - DevelopMentor
    http://www.leastprivilege.com

    > I love Web Apps in ASP.NET 2.0 because you can easily deny users
    > access to pages by role or user.
    >
    > But for desktop client to webservice methods, I am not sure what to
    > do....
    >
    > I am looking for the simplest and safest method or pattern to have my
    > Desktop client be able to call a web services securely.
    >
    > Assume my webservice proxy has 15 methods. By securely, I want the
    > Client
    > desktop app to pass some kind of simple username/password token --
    > something
    > - but not in plain text - so that acces to the web call either
    > immediately
    > succeeds or fails. I don't know where to start - what is the
    > simplest and
    > easiest way to accomplish this and maintain it.
    > Thanks for any simple answers.
    Dominick Baier [DevelopMentor], Feb 10, 2006
    #2
    1. Advertising

  3. va

    va Guest

    Dominick,

    I looked at handrolling WS* but the problem I had was I didn't like having
    to hardcode lookups on the server side - I was just hoping I could create
    some token on the desktop side and when making the call it the service's
    method woul allow or disallow.


    The design is a stand-alone exe (could be on your machine) needs to make a
    web method via dialup to my IIS Web Service.

    I can create a User Account on the IIS server but not on the user's desktop
    - the networks are unrelated. I can create my own logon screen locally of
    course to get the userid and password I'll need to somehow to receive on the
    other side.

    Is there a way I can create a token from that userid/password and use
    integrated security without having to have the standard windows login scrdeen
    popoup each method call?

    "Dominick Baier [DevelopMentor]" wrote:

    > Hi,
    >
    > you can use IIS/integrated auth with SSL or WS:Security
    >
    > Does your user have a Windows account? if yes you could simply use integrated/basic/digest
    > over SSL
    >
    > If you want some kind of custom authentication scheme - you could handroll
    > it using headers or have a look at UsernameTokens in WSE3 which is a standard
    > implementation of passing identity information with SOAP packets.
    >
    > ping me if you need more help
    >
    > ---------------------------------------
    > Dominick Baier - DevelopMentor
    > http://www.leastprivilege.com
    >
    > > I love Web Apps in ASP.NET 2.0 because you can easily deny users
    > > access to pages by role or user.
    > >
    > > But for desktop client to webservice methods, I am not sure what to
    > > do....
    > >
    > > I am looking for the simplest and safest method or pattern to have my
    > > Desktop client be able to call a web services securely.
    > >
    > > Assume my webservice proxy has 15 methods. By securely, I want the
    > > Client
    > > desktop app to pass some kind of simple username/password token --
    > > something
    > > - but not in plain text - so that acces to the web call either
    > > immediately
    > > succeeds or fails. I don't know where to start - what is the
    > > simplest and
    > > easiest way to accomplish this and maintain it.
    > > Thanks for any simple answers.

    >
    >
    >
    va, Feb 10, 2006
    #3
  4. Hi,

    ok - as i said - you have two options:

    --- #1 you create Windows users for your client on the IIS machine

    you could provide a logon screen in the client app and create a NetworkCredential
    from that - then use SSL and basic auth to access the web service


    --- #2 you don't want the user accounts in Windows but rather some database

    you could handroll some headers or use WSE (e.g. if you can't use SSL) -
    you would have to provide your own authorization architecture then -

    WSE3 is the first version which supports an <authorization> element for security
    tokens - but that is tied to .NET 2.0


    so i guess the easiest option might be #1

    ---------------------------------------
    Dominick Baier - DevelopMentor
    http://www.leastprivilege.com

    > Dominick,
    >
    > I looked at handrolling WS* but the problem I had was I didn't like
    > having to hardcode lookups on the server side - I was just hoping I
    > could create some token on the desktop side and when making the call
    > it the service's method woul allow or disallow.
    >
    > The design is a stand-alone exe (could be on your machine) needs to
    > make a web method via dialup to my IIS Web Service.
    >
    > I can create a User Account on the IIS server but not on the user's
    > desktop - the networks are unrelated. I can create my own logon
    > screen locally of course to get the userid and password I'll need to
    > somehow to receive on the other side.
    >
    > Is there a way I can create a token from that userid/password and use
    > integrated security without having to have the standard windows login
    > scrdeen popoup each method call?
    >
    > "Dominick Baier [DevelopMentor]" wrote:
    >
    >> Hi,
    >>
    >> you can use IIS/integrated auth with SSL or WS:Security
    >>
    >> Does your user have a Windows account? if yes you could simply use
    >> integrated/basic/digest over SSL
    >>
    >> If you want some kind of custom authentication scheme - you could
    >> handroll it using headers or have a look at UsernameTokens in WSE3
    >> which is a standard implementation of passing identity information
    >> with SOAP packets.
    >>
    >> ping me if you need more help
    >>
    >> ---------------------------------------
    >> Dominick Baier - DevelopMentor
    >> http://www.leastprivilege.com
    >>> I love Web Apps in ASP.NET 2.0 because you can easily deny users
    >>> access to pages by role or user.
    >>>
    >>> But for desktop client to webservice methods, I am not sure what to
    >>> do....
    >>>
    >>> I am looking for the simplest and safest method or pattern to have
    >>> my Desktop client be able to call a web services securely.
    >>>
    >>> Assume my webservice proxy has 15 methods. By securely, I want the
    >>> Client
    >>> desktop app to pass some kind of simple username/password token --
    >>> something
    >>> - but not in plain text - so that acces to the web call either
    >>> immediately
    >>> succeeds or fails. I don't know where to start - what is the
    >>> simplest and
    >>> easiest way to accomplish this and maintain it.
    >>> Thanks for any simple answers.
    Dominick Baier [DevelopMentor], Feb 10, 2006
    #4
  5. va

    va Guest

    Thanks. Maybe I am complicating WSE too much - can you point me to a simple
    example of WSE used with a WebMethod?

    "Dominick Baier [DevelopMentor]" wrote:

    > Hi,
    >
    > ok - as i said - you have two options:
    >
    > --- #1 you create Windows users for your client on the IIS machine
    >
    > you could provide a logon screen in the client app and create a NetworkCredential
    > from that - then use SSL and basic auth to access the web service
    >
    >
    > --- #2 you don't want the user accounts in Windows but rather some database
    >
    > you could handroll some headers or use WSE (e.g. if you can't use SSL) -
    > you would have to provide your own authorization architecture then -
    >
    > WSE3 is the first version which supports an <authorization> element for security
    > tokens - but that is tied to .NET 2.0
    >
    >
    > so i guess the easiest option might be #1
    >
    > ---------------------------------------
    > Dominick Baier - DevelopMentor
    > http://www.leastprivilege.com
    >
    > > Dominick,
    > >
    > > I looked at handrolling WS* but the problem I had was I didn't like
    > > having to hardcode lookups on the server side - I was just hoping I
    > > could create some token on the desktop side and when making the call
    > > it the service's method woul allow or disallow.
    > >
    > > The design is a stand-alone exe (could be on your machine) needs to
    > > make a web method via dialup to my IIS Web Service.
    > >
    > > I can create a User Account on the IIS server but not on the user's
    > > desktop - the networks are unrelated. I can create my own logon
    > > screen locally of course to get the userid and password I'll need to
    > > somehow to receive on the other side.
    > >
    > > Is there a way I can create a token from that userid/password and use
    > > integrated security without having to have the standard windows login
    > > scrdeen popoup each method call?
    > >
    > > "Dominick Baier [DevelopMentor]" wrote:
    > >
    > >> Hi,
    > >>
    > >> you can use IIS/integrated auth with SSL or WS:Security
    > >>
    > >> Does your user have a Windows account? if yes you could simply use
    > >> integrated/basic/digest over SSL
    > >>
    > >> If you want some kind of custom authentication scheme - you could
    > >> handroll it using headers or have a look at UsernameTokens in WSE3
    > >> which is a standard implementation of passing identity information
    > >> with SOAP packets.
    > >>
    > >> ping me if you need more help
    > >>
    > >> ---------------------------------------
    > >> Dominick Baier - DevelopMentor
    > >> http://www.leastprivilege.com
    > >>> I love Web Apps in ASP.NET 2.0 because you can easily deny users
    > >>> access to pages by role or user.
    > >>>
    > >>> But for desktop client to webservice methods, I am not sure what to
    > >>> do....
    > >>>
    > >>> I am looking for the simplest and safest method or pattern to have
    > >>> my Desktop client be able to call a web services securely.
    > >>>
    > >>> Assume my webservice proxy has 15 methods. By securely, I want the
    > >>> Client
    > >>> desktop app to pass some kind of simple username/password token --
    > >>> something
    > >>> - but not in plain text - so that acces to the web call either
    > >>> immediately
    > >>> succeeds or fails. I don't know where to start - what is the
    > >>> simplest and
    > >>> easiest way to accomplish this and maintain it.
    > >>> Thanks for any simple answers.

    >
    >
    >
    va, Feb 10, 2006
    #5
  6. which .net version - which type of authentication (username/password against
    a db??)

    ---------------------------------------
    Dominick Baier - DevelopMentor
    http://www.leastprivilege.com

    > Thanks. Maybe I am complicating WSE too much - can you point me to a
    > simple example of WSE used with a WebMethod?
    >
    > "Dominick Baier [DevelopMentor]" wrote:
    >
    >> Hi,
    >>
    >> ok - as i said - you have two options:
    >>
    >> --- #1 you create Windows users for your client on the IIS machine
    >>
    >> you could provide a logon screen in the client app and create a
    >> NetworkCredential from that - then use SSL and basic auth to access
    >> the web service
    >>
    >> --- #2 you don't want the user accounts in Windows but rather some
    >> database
    >>
    >> you could handroll some headers or use WSE (e.g. if you can't use
    >> SSL) - you would have to provide your own authorization architecture
    >> then -
    >>
    >> WSE3 is the first version which supports an <authorization> element
    >> for security tokens - but that is tied to .NET 2.0
    >>
    >> so i guess the easiest option might be #1
    >>
    >> ---------------------------------------
    >> Dominick Baier - DevelopMentor
    >> http://www.leastprivilege.com
    >>> Dominick,
    >>>
    >>> I looked at handrolling WS* but the problem I had was I didn't like
    >>> having to hardcode lookups on the server side - I was just hoping I
    >>> could create some token on the desktop side and when making the call
    >>> it the service's method woul allow or disallow.
    >>>
    >>> The design is a stand-alone exe (could be on your machine) needs to
    >>> make a web method via dialup to my IIS Web Service.
    >>>
    >>> I can create a User Account on the IIS server but not on the user's
    >>> desktop - the networks are unrelated. I can create my own logon
    >>> screen locally of course to get the userid and password I'll need to
    >>> somehow to receive on the other side.
    >>>
    >>> Is there a way I can create a token from that userid/password and
    >>> use integrated security without having to have the standard windows
    >>> login scrdeen popoup each method call?
    >>>
    >>> "Dominick Baier [DevelopMentor]" wrote:
    >>>
    >>>> Hi,
    >>>>
    >>>> you can use IIS/integrated auth with SSL or WS:Security
    >>>>
    >>>> Does your user have a Windows account? if yes you could simply use
    >>>> integrated/basic/digest over SSL
    >>>>
    >>>> If you want some kind of custom authentication scheme - you could
    >>>> handroll it using headers or have a look at UsernameTokens in WSE3
    >>>> which is a standard implementation of passing identity information
    >>>> with SOAP packets.
    >>>>
    >>>> ping me if you need more help
    >>>>
    >>>> ---------------------------------------
    >>>> Dominick Baier - DevelopMentor
    >>>> http://www.leastprivilege.com
    >>>>> I love Web Apps in ASP.NET 2.0 because you can easily deny users
    >>>>> access to pages by role or user.
    >>>>>
    >>>>> But for desktop client to webservice methods, I am not sure what
    >>>>> to do....
    >>>>>
    >>>>> I am looking for the simplest and safest method or pattern to have
    >>>>> my Desktop client be able to call a web services securely.
    >>>>>
    >>>>> Assume my webservice proxy has 15 methods. By securely, I want
    >>>>> the
    >>>>> Client
    >>>>> desktop app to pass some kind of simple username/password token --
    >>>>> something
    >>>>> - but not in plain text - so that acces to the web call either
    >>>>> immediately
    >>>>> succeeds or fails. I don't know where to start - what is the
    >>>>> simplest and
    >>>>> easiest way to accomplish this and maintain it.
    >>>>> Thanks for any simple answers
    Dominick Baier [DevelopMentor], Feb 10, 2006
    #6
  7. va

    va Guest

    Thanks
    va, Feb 10, 2006
    #7
  8. va

    hulinning Guest

    Hi Dominick

    What if my client application is a WinCE device, and my webservice is using
    Integrate Windows Authentication mode, then what do I need to pass to my
    webservice in order to authenticate.

    Can I get user account from WinCE device without asking user to provide
    login/password to send to webservice?




    "Dominick Baier [DevelopMentor]" wrote:

    > generally:
    > http://msdn.microsoft.com/webservices/webservices/building/wse/
    >
    > security lab:
    > http://www.microsoft.com/downloads/...8e-97e2-43e2-b484-a74a014a8206&displaylang=en
    >
    > ---------------------------------------
    > Dominick Baier - DevelopMentor
    > http://www.leastprivilege.com
    >
    > > .NET 2.0. WSE to Database example would be fine.
    > >

    >
    >
    >
    hulinning, Feb 19, 2006
    #8
  9. Hi,

    prolly not...

    but i am not a WinCE expert (in fact i never touched such a device) -sorry.

    ---------------------------------------
    Dominick Baier - DevelopMentor
    http://www.leastprivilege.com

    > Hi Dominick
    >
    > What if my client application is a WinCE device, and my webservice is
    > using Integrate Windows Authentication mode, then what do I need to
    > pass to my webservice in order to authenticate.
    >
    > Can I get user account from WinCE device without asking user to
    > provide login/password to send to webservice?
    >
    > "Dominick Baier [DevelopMentor]" wrote:
    >
    >> generally:
    >> http://msdn.microsoft.com/webservices/webservices/building/wse/
    >> security lab:
    >> http://www.microsoft.com/downloads/details.aspx?familyid=9acd1f8e-97e
    >> 2-43e2-b484-a74a014a8206&displaylang=en
    >> ---------------------------------------
    >> Dominick Baier - DevelopMentor
    >> http://www.leastprivilege.com
    >>> .NET 2.0. WSE to Database example would be fine.
    >>>
    Dominick Baier [DevelopMentor], Feb 19, 2006
    #9
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Tim Zych

    using a web service securely

    Tim Zych, Aug 28, 2005, in forum: ASP .Net
    Replies:
    1
    Views:
    339
    Lucas Tam
    Aug 29, 2005
  2. Michael Averstegge
    Replies:
    0
    Views:
    4,217
    Michael Averstegge
    Jan 10, 2006
  3. Replies:
    0
    Views:
    594
  4. Not Me
    Replies:
    1
    Views:
    3,181
    Not Me
    Jun 5, 2007
  5. RJ
    Replies:
    4
    Views:
    752
    Brock Allen
    Sep 22, 2005
Loading...

Share This Page