SSL for very simple security need in web service app

Discussion in 'ASP .Net Web Services' started by news.microsoft.com, Oct 18, 2005.

  1. I'm looking for a nudge in the right direction.

    We have an order processing system that currently has a simple ASP.NET web
    interface. Various clients who want to place orders already have a userID
    and password specified within our application (i.e., not Windows
    authentication) that they must supply in order to logon to their 'account'
    and submit orders for themselves. They communicate from a browser over the
    public internet. The browsers/server utilize SSL for encrypting the web
    traffic.

    We'd now like to implement this functionality as a web service to interact
    with some desktop applications that can generate orders. We'd like to have
    the remote app simply transfer the data, presumably in an XML format that we
    already have defined, over the public internet, providing their userID and
    password.

    My question is: if we just add the userID and password in the XML
    schema/data, is the SSL layer sufficient to ensure that anyone who might
    intercept the traffic en route would not be able to determine the UserID and
    password? Once we have the XML data in our app, it would be a trivial matter
    to determine if the data is coming from a source that had a legitimate,
    active UserID and a valid password. And that's pretty much all we'd need.

    I read about WSE, WS-Security, etc. and it all seems like so much overkill
    for my needs -- but I can't locate a single, simple scenario that looks like
    what I have in mind here.

    Any direction would be greatly appreciated!

    Rob Schripsema
    DeWaard and Jones Company
    Bellingham, WA
    news.microsoft.com, Oct 18, 2005
    #1
    1. Advertising

  2. My apologies....

    That last note went out with a user name of "news.microsoft.com". Apparently
    my news reader was misconfigured. It was really from me.

    Rob Schripsema
    DeWaard and Jones

    "news.microsoft.com" <> wrote in message
    news:%...
    > I'm looking for a nudge in the right direction.
    >
    > We have an order processing system that currently has a simple ASP.NET web
    > interface. Various clients who want to place orders already have a userID
    > and password specified within our application (i.e., not Windows
    > authentication) that they must supply in order to logon to their 'account'
    > and submit orders for themselves. They communicate from a browser over the
    > public internet. The browsers/server utilize SSL for encrypting the web
    > traffic.
    >
    > We'd now like to implement this functionality as a web service to interact
    > with some desktop applications that can generate orders. We'd like to have
    > the remote app simply transfer the data, presumably in an XML format that
    > we already have defined, over the public internet, providing their userID
    > and password.
    >
    > My question is: if we just add the userID and password in the XML
    > schema/data, is the SSL layer sufficient to ensure that anyone who might
    > intercept the traffic en route would not be able to determine the UserID
    > and password? Once we have the XML data in our app, it would be a trivial
    > matter to determine if the data is coming from a source that had a
    > legitimate, active UserID and a valid password. And that's pretty much all
    > we'd need.
    >
    > I read about WSE, WS-Security, etc. and it all seems like so much overkill
    > for my needs -- but I can't locate a single, simple scenario that looks
    > like what I have in mind here.
    >
    > Any direction would be greatly appreciated!
    >
    > Rob Schripsema
    > DeWaard and Jones Company
    > Bellingham, WA
    >
    >
    >
    >
    news.microsoft.com, Oct 18, 2005
    #2
    1. Advertising

  3. If you have a simple scenario, and just end-to-end communication (you do not
    have several end-points or middle end-points, and I mean Web-Services Servers
    end-points), then, SSL might be enough for you.
    About WSE 3.0 and WCF in the future (Windows Communication Foundatio, code
    name as Indigo), when talking about security, it offers security at message
    level instead of security at transport protocol level (like SSL). It is
    better for complex scenarios, middle points WebServices where you don't want
    to trust at transport level, so, you can encrypt and signg at message level.
    With theses new technologies you also have new standars for complex
    communications like WS-SecureConversation, etc.

    So, if you have a very simple scenario, SSL might be OK. And of course, it
    is secure enough (if you want more security with SSL, use a 128bit Server
    Certificate, do not use a 64bit Server Cert.).
    --
    CESAR DE LA TORRE
    Software Architect
    [Microsoft MVP - XML Web Services]
    [MCSE] [MCT]

    Renacimiento
    [Microsoft GOLD Certified Partner]


    "news.microsoft.com" wrote:

    > My apologies....
    >
    > That last note went out with a user name of "news.microsoft.com". Apparently
    > my news reader was misconfigured. It was really from me.
    >
    > Rob Schripsema
    > DeWaard and Jones
    >
    > "news.microsoft.com" <> wrote in message
    > news:%...
    > > I'm looking for a nudge in the right direction.
    > >
    > > We have an order processing system that currently has a simple ASP.NET web
    > > interface. Various clients who want to place orders already have a userID
    > > and password specified within our application (i.e., not Windows
    > > authentication) that they must supply in order to logon to their 'account'
    > > and submit orders for themselves. They communicate from a browser over the
    > > public internet. The browsers/server utilize SSL for encrypting the web
    > > traffic.
    > >
    > > We'd now like to implement this functionality as a web service to interact
    > > with some desktop applications that can generate orders. We'd like to have
    > > the remote app simply transfer the data, presumably in an XML format that
    > > we already have defined, over the public internet, providing their userID
    > > and password.
    > >
    > > My question is: if we just add the userID and password in the XML
    > > schema/data, is the SSL layer sufficient to ensure that anyone who might
    > > intercept the traffic en route would not be able to determine the UserID
    > > and password? Once we have the XML data in our app, it would be a trivial
    > > matter to determine if the data is coming from a source that had a
    > > legitimate, active UserID and a valid password. And that's pretty much all
    > > we'd need.
    > >
    > > I read about WSE, WS-Security, etc. and it all seems like so much overkill
    > > for my needs -- but I can't locate a single, simple scenario that looks
    > > like what I have in mind here.
    > >
    > > Any direction would be greatly appreciated!
    > >
    > > Rob Schripsema
    > > DeWaard and Jones Company
    > > Bellingham, WA
    > >
    > >
    > >
    > >

    >
    >
    >
    CESAR DE LA TORRE [MVP], Oct 18, 2005
    #3
  4. Cesar,

    Thanks for the info. There is only a single end point here, a web service
    app that simply takes order info, validates it and applies it to a database.
    The clients are a variety of apps that will want to send a simple XML
    formatted data stream as a single chunk over https: to the web service
    address, and then process a simple reply. This is a small business taking
    orders from other small businesses.

    I would think this is a common need in the industry -- not at the enterprise
    level, perhaps, but for the millions of small businesses out there that I
    deal with, this is a common scenario. All of the talk about WSE, WCF and so
    on tends to cloud the basic issues for the simple scenarios.

    Thanks again for your help.

    Rob Schripsema
    DeWaard and Jones Company


    "CESAR DE LA TORRE [MVP]" <> wrote in message
    news:...
    > If you have a simple scenario, and just end-to-end communication (you do
    > not
    > have several end-points or middle end-points, and I mean Web-Services
    > Servers
    > end-points), then, SSL might be enough for you.
    > About WSE 3.0 and WCF in the future (Windows Communication Foundatio, code
    > name as Indigo), when talking about security, it offers security at
    > message
    > level instead of security at transport protocol level (like SSL). It is
    > better for complex scenarios, middle points WebServices where you don't
    > want
    > to trust at transport level, so, you can encrypt and signg at message
    > level.
    > With theses new technologies you also have new standars for complex
    > communications like WS-SecureConversation, etc.
    >
    > So, if you have a very simple scenario, SSL might be OK. And of course, it
    > is secure enough (if you want more security with SSL, use a 128bit Server
    > Certificate, do not use a 64bit Server Cert.).
    > --
    > CESAR DE LA TORRE
    > Software Architect
    > [Microsoft MVP - XML Web Services]
    > [MCSE] [MCT]
    >
    > Renacimiento
    > [Microsoft GOLD Certified Partner]
    >
    >
    > "news.microsoft.com" wrote:
    >
    >> My apologies....
    >>
    >> That last note went out with a user name of "news.microsoft.com".
    >> Apparently
    >> my news reader was misconfigured. It was really from me.
    >>
    >> Rob Schripsema
    >> DeWaard and Jones
    >>
    >> "news.microsoft.com" <> wrote in message
    >> news:%...
    >> > I'm looking for a nudge in the right direction.
    >> >
    >> > We have an order processing system that currently has a simple ASP.NET
    >> > web
    >> > interface. Various clients who want to place orders already have a
    >> > userID
    >> > and password specified within our application (i.e., not Windows
    >> > authentication) that they must supply in order to logon to their
    >> > 'account'
    >> > and submit orders for themselves. They communicate from a browser over
    >> > the
    >> > public internet. The browsers/server utilize SSL for encrypting the web
    >> > traffic.
    >> >
    >> > We'd now like to implement this functionality as a web service to
    >> > interact
    >> > with some desktop applications that can generate orders. We'd like to
    >> > have
    >> > the remote app simply transfer the data, presumably in an XML format
    >> > that
    >> > we already have defined, over the public internet, providing their
    >> > userID
    >> > and password.
    >> >
    >> > My question is: if we just add the userID and password in the XML
    >> > schema/data, is the SSL layer sufficient to ensure that anyone who
    >> > might
    >> > intercept the traffic en route would not be able to determine the
    >> > UserID
    >> > and password? Once we have the XML data in our app, it would be a
    >> > trivial
    >> > matter to determine if the data is coming from a source that had a
    >> > legitimate, active UserID and a valid password. And that's pretty much
    >> > all
    >> > we'd need.
    >> >
    >> > I read about WSE, WS-Security, etc. and it all seems like so much
    >> > overkill
    >> > for my needs -- but I can't locate a single, simple scenario that looks
    >> > like what I have in mind here.
    >> >
    >> > Any direction would be greatly appreciated!
    >> >
    >> > Rob Schripsema
    >> > DeWaard and Jones Company
    >> > Bellingham, WA
    >> >
    >> >
    >> >
    >> >

    >>
    >>
    >>
    Rob Schripsema, Oct 18, 2005
    #4
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Raymond Arthur St. Marie II of III

    very Very VERY dumb Question About The new Set( ) 's

    Raymond Arthur St. Marie II of III, Jul 23, 2003, in forum: Python
    Replies:
    4
    Views:
    451
    Raymond Hettinger
    Jul 27, 2003
  2. shanx__=|;-

    very very very long integer

    shanx__=|;-, Oct 16, 2004, in forum: C Programming
    Replies:
    19
    Views:
    1,591
    Merrill & Michele
    Oct 19, 2004
  3. Abhishek Jha

    very very very long integer

    Abhishek Jha, Oct 16, 2004, in forum: C Programming
    Replies:
    4
    Views:
    409
    jacob navia
    Oct 17, 2004
  4. olivier.melcher

    Help running a very very very simple code

    olivier.melcher, May 12, 2008, in forum: Java
    Replies:
    8
    Views:
    2,246
  5. Max Norman
    Replies:
    5
    Views:
    128
Loading...

Share This Page