Web Service Identity

M

Marshall

Hi All,

I have a web service [1] that runs under its own IIS Application Pool with
the identity of a specific domain account. The web service [1] is setup for
windows authentication only.

Within my web method I require the caller to be a member of a specific
domain group using the PriciplePermission attribute. It appears that my web
service [1] is assuming the identity of the caller. The behavior that I
want is for the web method to verify the identity of the caller while
keeping the identity of the application pool

From within my web method I make a call to another web service [2] which
employs the same security methods except requiring the caller to be a member
of a different domain group. The application pool for my web service [1] is
a member of the group required by web service [2].

What do I need to do to get this to work the way I want?

Thank you for all of your help,

Marshall

Here is the code for my web method for web service [1].
[WebMethod]
[PrincipalPermission(SecurityAction.Demand,
Role=@"OPEN\RoleMapWS_Readers")]
public Open.Foundation.RoleMap.User AuthenticateUser(int domainId, string
userName, string password)
{
Open.Foundation.RoleMap.User user = null;

try
{
Call another web service here
}
catch (Exception ex)
{
throw;
}
finally
{
user = null;
}
}
 
S

Steven Cheng[MSFT]

Hi Marshall,

Welcome to ASPNET newsgroup.
From your description, you're using integrated windows authentication in
IIS for webservice A so as to get the clientside user's windows crediential
in asp.net webservice. And you'll do some Role checking in webmethods.
Also, since the webservice A need to call another remote webservice B which
require a certain domain account/role, so you configured the application
pool identity for webservice A under a certain domain account. However, you
found the PrinciplePermission attribute in webservice A's method dosn't
validate the clientside user , but the application pool's identity , yes?

As for this problem, it is because the .NET's Secuirty PrinciplePermission
check is based on the currently running process/thread's security context.
So for asp.net , if we're not using impersonate, the PrinciplePermission's
assert will be made on the default process account(application pool's
identity) rather than the clientside user's identity. The clientside user's
identity is held in the HttpContext.Current.User.Identity proerpty.

So for your scenario, I think we have the following two options:

1. Still use the PrinciplePermission to do the role checking, however, we
need to programmatically call impersonate to impersonate the clientuser
before entering the method where we do the checking and revert back to
process identitty after the method call.

#How to implement impersonation in an ASP.NET application
http://support.microsoft.com/default.aspx?scid=kb;en-us;306158

2. Still not use impersonate, however , we need to manually call

HttpContext.Current.User.IsInRole(...)

to check the clientuser's roles instead of using PrinciplePermission.

If you have anything unclear, please feel free to post here. Thanks,

Steven Cheng
Microsoft Online Support

Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)







--------------------
| From: "Marshall" <[email protected]>
| Subject: Web Service Identity
| Date: Tue, 13 Sep 2005 16:02:49 -0400
| Lines: 50
| X-Priority: 3
| X-MSMail-Priority: Normal
| X-Newsreader: Microsoft Outlook Express 6.00.3790.1830
| X-RFC2646: Format=Flowed; Original
| X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.1830
| Message-ID: <[email protected]>
| Newsgroups: microsoft.public.dotnet.framework.aspnet.webservices
| NNTP-Posting-Host: 66-195-172-195.gen.twtelecom.net 66.195.172.195
| Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP12.phx.gbl
| Xref: TK2MSFTNGXA01.phx.gbl
microsoft.public.dotnet.framework.aspnet.webservices:7786
| X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet.webservices
|
| Hi All,
|
| I have a web service [1] that runs under its own IIS Application Pool
with
| the identity of a specific domain account. The web service [1] is setup
for
| windows authentication only.
|
| Within my web method I require the caller to be a member of a specific
| domain group using the PriciplePermission attribute. It appears that my
web
| service [1] is assuming the identity of the caller. The behavior that I
| want is for the web method to verify the identity of the caller while
| keeping the identity of the application pool
|
| From within my web method I make a call to another web service [2] which
| employs the same security methods except requiring the caller to be a
member
| of a different domain group. The application pool for my web service [1]
is
| a member of the group required by web service [2].
|
| What do I need to do to get this to work the way I want?
|
| Thank you for all of your help,
|
| Marshall
|
| Here is the code for my web method for web service [1].
| [WebMethod]
| [PrincipalPermission(SecurityAction.Demand,
| Role=@"OPEN\RoleMapWS_Readers")]
| public Open.Foundation.RoleMap.User AuthenticateUser(int domainId,
string
| userName, string password)
| {
| Open.Foundation.RoleMap.User user = null;
|
| try
| {
| Call another web service here
| }
| catch (Exception ex)
| {
| throw;
| }
| finally
| {
| user = null;
| }
| }
|
|
|
|
|
|
 
M

Marshall

Thanks for your help, Steve.

Your description of the problem is not totally true.

Here is your updated description:
From your description, you're using integrated windows authentication in IIS
for webservice A so as to get the clientside user's windows crediential in
asp.net webservice. And you'll do some Role checking in webmethods. Also,
since the webservice A need to call another remote webservice B which
require a certain domain account/role, so you configured the application
pool identity for webservice A under a certain domain account. -- Correct.

However, I found that when I pass credientials to webservice A, it assumes
the identity of the credentials I passed in. So when webservice A make a
call to webservice B, webservice B receives the credentials I passed into
webservice A.

What I want to happen is:
I pass credentials into webservice A and the credentials are verified. When
webservice A makes the call to webservice B, webservice B should
automatically recieve, as its credentials, the identity of webservice A's
application pool.

The client passes its credentials to webservice A via:
roleMapWS.Credentials = new NetworkCredential(userName, password, domain);


Thank you for the links. I will lookin to them.

Thanks again,

Marshall

Steven Cheng said:
Hi Marshall,

Welcome to ASPNET newsgroup.
From your description, you're using integrated windows authentication in
IIS for webservice A so as to get the clientside user's windows
crediential
in asp.net webservice. And you'll do some Role checking in webmethods.
Also, since the webservice A need to call another remote webservice B
which
require a certain domain account/role, so you configured the application
pool identity for webservice A under a certain domain account. However,
you
found the PrinciplePermission attribute in webservice A's method dosn't
validate the clientside user , but the application pool's identity , yes?

As for this problem, it is because the .NET's Secuirty PrinciplePermission
check is based on the currently running process/thread's security context.
So for asp.net , if we're not using impersonate, the PrinciplePermission's
assert will be made on the default process account(application pool's
identity) rather than the clientside user's identity. The clientside
user's
identity is held in the HttpContext.Current.User.Identity proerpty.

So for your scenario, I think we have the following two options:

1. Still use the PrinciplePermission to do the role checking, however, we
need to programmatically call impersonate to impersonate the clientuser
before entering the method where we do the checking and revert back to
process identitty after the method call.

#How to implement impersonation in an ASP.NET application
http://support.microsoft.com/default.aspx?scid=kb;en-us;306158

2. Still not use impersonate, however , we need to manually call

HttpContext.Current.User.IsInRole(...)

to check the clientuser's roles instead of using PrinciplePermission.

If you have anything unclear, please feel free to post here. Thanks,

Steven Cheng
Microsoft Online Support

Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)







--------------------
| From: "Marshall" <[email protected]>
| Subject: Web Service Identity
| Date: Tue, 13 Sep 2005 16:02:49 -0400
| Lines: 50
| X-Priority: 3
| X-MSMail-Priority: Normal
| X-Newsreader: Microsoft Outlook Express 6.00.3790.1830
| X-RFC2646: Format=Flowed; Original
| X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.1830
| Message-ID: <[email protected]>
| Newsgroups: microsoft.public.dotnet.framework.aspnet.webservices
| NNTP-Posting-Host: 66-195-172-195.gen.twtelecom.net 66.195.172.195
| Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP12.phx.gbl
| Xref: TK2MSFTNGXA01.phx.gbl
microsoft.public.dotnet.framework.aspnet.webservices:7786
| X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet.webservices
|
| Hi All,
|
| I have a web service [1] that runs under its own IIS Application Pool
with
| the identity of a specific domain account. The web service [1] is setup
for
| windows authentication only.
|
| Within my web method I require the caller to be a member of a specific
| domain group using the PriciplePermission attribute. It appears that my
web
| service [1] is assuming the identity of the caller. The behavior that I
| want is for the web method to verify the identity of the caller while
| keeping the identity of the application pool
|
| From within my web method I make a call to another web service [2] which
| employs the same security methods except requiring the caller to be a
member
| of a different domain group. The application pool for my web service
[1]
is
| a member of the group required by web service [2].
|
| What do I need to do to get this to work the way I want?
|
| Thank you for all of your help,
|
| Marshall
|
| Here is the code for my web method for web service [1].
| [WebMethod]
| [PrincipalPermission(SecurityAction.Demand,
| Role=@"OPEN\RoleMapWS_Readers")]
| public Open.Foundation.RoleMap.User AuthenticateUser(int domainId,
string
| userName, string password)
| {
| Open.Foundation.RoleMap.User user = null;
|
| try
| {
| Call another web service here
| }
| catch (Exception ex)
| {
| throw;
| }
| finally
| {
| user = null;
| }
| }
|
|
|
|
|
|
Click to expand...
 
S

Steven Cheng[MSFT]

Hi Marshall,

Thanks for your response. So you means the webserviceA has passed its
client's credential to the webserviceB? Seems a bit strange, have you
turned on impersonate in web.config of webservice A? Based on my
experience, when calling webservice through clientside proxy, we need to
use the proxy.Credentials to pass our user credential. And in webserviceA,
we can use the System.Net.CredentialsCache.DefaultCredentials like:

DocService.DocService ds = new DemoWebApp.DocService.DocService();
ds.Credentials = System.Net.CredentialCache.DefaultCredentials;

and this will use the asp.net process identity by default (if impersonate
is not being used).

So please have a check in the webservice A to see whether it has used
impersonate. Also, in webserviceB, you can use some code to printout the
currently client side credential and thread principle as below:

string str = null;

str = string.Format("<br/>context user: {0}, <br/>thread user: {1}",
HttpContext.Current.User.Identity.Name,
System.Threading.Thread.CurrentPrincipal.Identity.Name);

Thanks,

Steven Cheng
Microsoft Online Support

Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)

--------------------
| From: "Marshall" <[email protected]>
| References: <[email protected]>
<[email protected]>
| Subject: Re: Web Service Identity
| Date: Wed, 14 Sep 2005 08:40:32 -0400
| Lines: 168
| X-Priority: 3
| X-MSMail-Priority: Normal
| X-Newsreader: Microsoft Outlook Express 6.00.3790.1830
| X-RFC2646: Format=Flowed; Original
| X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.1830
| Message-ID: <[email protected]>
| Newsgroups: microsoft.public.dotnet.framework.aspnet.webservices
| NNTP-Posting-Host: 66-195-172-195.gen.twtelecom.net 66.195.172.195
| Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP14.phx.gbl
| Xref: TK2MSFTNGXA01.phx.gbl
microsoft.public.dotnet.framework.aspnet.webservices:7794
| X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet.webservices
|
| Thanks for your help, Steve.
|
| Your description of the problem is not totally true.
|
| Here is your updated description:
| From your description, you're using integrated windows authentication in
IIS
| for webservice A so as to get the clientside user's windows crediential
in
| asp.net webservice. And you'll do some Role checking in webmethods. Also,
| since the webservice A need to call another remote webservice B which
| require a certain domain account/role, so you configured the application
| pool identity for webservice A under a certain domain account. --
Correct.
|
| However, I found that when I pass credientials to webservice A, it
assumes
| the identity of the credentials I passed in. So when webservice A make a
| call to webservice B, webservice B receives the credentials I passed into
| webservice A.
|
| What I want to happen is:
| I pass credentials into webservice A and the credentials are verified.
When
| webservice A makes the call to webservice B, webservice B should
| automatically recieve, as its credentials, the identity of webservice A's
| application pool.
|
| The client passes its credentials to webservice A via:
| roleMapWS.Credentials = new NetworkCredential(userName, password, domain);
|
|
| Thank you for the links. I will lookin to them.
|
| Thanks again,
|
| Marshall
|
| | > Hi Marshall,
| >
| > Welcome to ASPNET newsgroup.
| > From your description, you're using integrated windows authentication in
| > IIS for webservice A so as to get the clientside user's windows
| > crediential
| > in asp.net webservice. And you'll do some Role checking in webmethods.
| > Also, since the webservice A need to call another remote webservice B
| > which
| > require a certain domain account/role, so you configured the application
| > pool identity for webservice A under a certain domain account. However,
| > you
| > found the PrinciplePermission attribute in webservice A's method dosn't
| > validate the clientside user , but the application pool's identity ,
yes?
| >
| > As for this problem, it is because the .NET's Secuirty
PrinciplePermission
| > check is based on the currently running process/thread's security
context.
| > So for asp.net , if we're not using impersonate, the
PrinciplePermission's
| > assert will be made on the default process account(application pool's
| > identity) rather than the clientside user's identity. The clientside
| > user's
| > identity is held in the HttpContext.Current.User.Identity proerpty.
| >
| > So for your scenario, I think we have the following two options:
| >
| > 1. Still use the PrinciplePermission to do the role checking, however,
we
| > need to programmatically call impersonate to impersonate the clientuser
| > before entering the method where we do the checking and revert back to
| > process identitty after the method call.
| >
| > #How to implement impersonation in an ASP.NET application
| > http://support.microsoft.com/default.aspx?scid=kb;en-us;306158
| >
| > 2. Still not use impersonate, however , we need to manually call
| >
| > HttpContext.Current.User.IsInRole(...)
| >
| > to check the clientuser's roles instead of using PrinciplePermission.
| >
| > If you have anything unclear, please feel free to post here. Thanks,
| >
| > Steven Cheng
| > Microsoft Online Support
| >
| > Get Secure! www.microsoft.com/security
| > (This posting is provided "AS IS", with no warranties, and confers no
| > rights.)
| >
| >
| >
| >
| >
| >
| >
| > --------------------
| > | From: "Marshall" <[email protected]>
| > | Subject: Web Service Identity
| > | Date: Tue, 13 Sep 2005 16:02:49 -0400
| > | Lines: 50
| > | X-Priority: 3
| > | X-MSMail-Priority: Normal
| > | X-Newsreader: Microsoft Outlook Express 6.00.3790.1830
| > | X-RFC2646: Format=Flowed; Original
| > | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.1830
| > | Message-ID: <[email protected]>
| > | Newsgroups: microsoft.public.dotnet.framework.aspnet.webservices
| > | NNTP-Posting-Host: 66-195-172-195.gen.twtelecom.net 66.195.172.195
| > | Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP12.phx.gbl
| > | Xref: TK2MSFTNGXA01.phx.gbl
| > microsoft.public.dotnet.framework.aspnet.webservices:7786
| > | X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet.webservices
| > |
| > | Hi All,
| > |
| > | I have a web service [1] that runs under its own IIS Application Pool
| > with
| > | the identity of a specific domain account. The web service [1] is
setup
| > for
| > | windows authentication only.
| > |
| > | Within my web method I require the caller to be a member of a specific
| > | domain group using the PriciplePermission attribute. It appears that
my
| > web
| > | service [1] is assuming the identity of the caller. The behavior
that I
| > | want is for the web method to verify the identity of the caller while
| > | keeping the identity of the application pool
| > |
| > | From within my web method I make a call to another web service [2]
which
| > | employs the same security methods except requiring the caller to be a
| > member
| > | of a different domain group. The application pool for my web service
| > [1]
| > is
| > | a member of the group required by web service [2].
| > |
| > | What do I need to do to get this to work the way I want?
| > |
| > | Thank you for all of your help,
| > |
| > | Marshall
| > |
| > | Here is the code for my web method for web service [1].
| > | [WebMethod]
| > | [PrincipalPermission(SecurityAction.Demand,
| > | Role=@"OPEN\RoleMapWS_Readers")]
| > | public Open.Foundation.RoleMap.User AuthenticateUser(int domainId,
| > string
| > | userName, string password)
| > | {
| > | Open.Foundation.RoleMap.User user = null;
| > |
| > | try
| > | {
| > | Call another web service here
| > | }
| > | catch (Exception ex)
| > | {
| > | throw;
| > | }
| > | finally
| > | {
| > | user = null;
| > | }
| > | }
| > |
| > |
| > |
| > |
| > |
| > |
| >
|
|
|
 
M

Marshall

Thank you very much Steve!

I really appreciate all of your help. I got it working. One thing I messed
up on within the web.config of webservice B is I had authentication set to
'none'. When I added your code to set the credentials and changed the
authentication to ' windows', everthing worked just the way I wanted it to.

Thanks again,

Marshall

Steven Cheng said:
Hi Marshall,

Thanks for your response. So you means the webserviceA has passed its
client's credential to the webserviceB? Seems a bit strange, have you
turned on impersonate in web.config of webservice A? Based on my
experience, when calling webservice through clientside proxy, we need to
use the proxy.Credentials to pass our user credential. And in webserviceA,
we can use the System.Net.CredentialsCache.DefaultCredentials like:

DocService.DocService ds = new DemoWebApp.DocService.DocService();
ds.Credentials = System.Net.CredentialCache.DefaultCredentials;

and this will use the asp.net process identity by default (if impersonate
is not being used).

So please have a check in the webservice A to see whether it has used
impersonate. Also, in webserviceB, you can use some code to printout the
currently client side credential and thread principle as below:

string str = null;

str = string.Format("<br/>context user: {0}, <br/>thread user: {1}",
HttpContext.Current.User.Identity.Name,
System.Threading.Thread.CurrentPrincipal.Identity.Name);

Thanks,

Steven Cheng
Microsoft Online Support

Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)

--------------------
| From: "Marshall" <[email protected]>
| References: <[email protected]>
<[email protected]>
| Subject: Re: Web Service Identity
| Date: Wed, 14 Sep 2005 08:40:32 -0400
| Lines: 168
| X-Priority: 3
| X-MSMail-Priority: Normal
| X-Newsreader: Microsoft Outlook Express 6.00.3790.1830
| X-RFC2646: Format=Flowed; Original
| X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.1830
| Message-ID: <[email protected]>
| Newsgroups: microsoft.public.dotnet.framework.aspnet.webservices
| NNTP-Posting-Host: 66-195-172-195.gen.twtelecom.net 66.195.172.195
| Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP14.phx.gbl
| Xref: TK2MSFTNGXA01.phx.gbl
microsoft.public.dotnet.framework.aspnet.webservices:7794
| X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet.webservices
|
| Thanks for your help, Steve.
|
| Your description of the problem is not totally true.
|
| Here is your updated description:
| From your description, you're using integrated windows authentication in
IIS
| for webservice A so as to get the clientside user's windows crediential
in
| asp.net webservice. And you'll do some Role checking in webmethods.
Also,
| since the webservice A need to call another remote webservice B which
| require a certain domain account/role, so you configured the application
| pool identity for webservice A under a certain domain account. --
Correct.
|
| However, I found that when I pass credientials to webservice A, it
assumes
| the identity of the credentials I passed in. So when webservice A make
a
| call to webservice B, webservice B receives the credentials I passed
into
| webservice A.
|
| What I want to happen is:
| I pass credentials into webservice A and the credentials are verified.
When
| webservice A makes the call to webservice B, webservice B should
| automatically recieve, as its credentials, the identity of webservice
A's
| application pool.
|
| The client passes its credentials to webservice A via:
| roleMapWS.Credentials = new NetworkCredential(userName, password,
domain);
|
|
| Thank you for the links. I will lookin to them.
|
| Thanks again,
|
| Marshall
|
| | > Hi Marshall,
| >
| > Welcome to ASPNET newsgroup.
| > From your description, you're using integrated windows authentication
in
| > IIS for webservice A so as to get the clientside user's windows
| > crediential
| > in asp.net webservice. And you'll do some Role checking in webmethods.
| > Also, since the webservice A need to call another remote webservice B
| > which
| > require a certain domain account/role, so you configured the
application
| > pool identity for webservice A under a certain domain account.
However,
| > you
| > found the PrinciplePermission attribute in webservice A's method
dosn't
| > validate the clientside user , but the application pool's identity ,
yes?
| >
| > As for this problem, it is because the .NET's Secuirty
PrinciplePermission
| > check is based on the currently running process/thread's security
context.
| > So for asp.net , if we're not using impersonate, the
PrinciplePermission's
| > assert will be made on the default process account(application pool's
| > identity) rather than the clientside user's identity. The clientside
| > user's
| > identity is held in the HttpContext.Current.User.Identity proerpty.
| >
| > So for your scenario, I think we have the following two options:
| >
| > 1. Still use the PrinciplePermission to do the role checking, however,
we
| > need to programmatically call impersonate to impersonate the
clientuser
| > before entering the method where we do the checking and revert back to
| > process identitty after the method call.
| >
| > #How to implement impersonation in an ASP.NET application
| > http://support.microsoft.com/default.aspx?scid=kb;en-us;306158
| >
| > 2. Still not use impersonate, however , we need to manually call
| >
| > HttpContext.Current.User.IsInRole(...)
| >
| > to check the clientuser's roles instead of using PrinciplePermission.
| >
| > If you have anything unclear, please feel free to post here. Thanks,
| >
| > Steven Cheng
| > Microsoft Online Support
| >
| > Get Secure! www.microsoft.com/security
| > (This posting is provided "AS IS", with no warranties, and confers no
| > rights.)
| >
| >
| >
| >
| >
| >
| >
| > --------------------
| > | From: "Marshall" <[email protected]>
| > | Subject: Web Service Identity
| > | Date: Tue, 13 Sep 2005 16:02:49 -0400
| > | Lines: 50
| > | X-Priority: 3
| > | X-MSMail-Priority: Normal
| > | X-Newsreader: Microsoft Outlook Express 6.00.3790.1830
| > | X-RFC2646: Format=Flowed; Original
| > | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.1830
| > | Message-ID: <[email protected]>
| > | Newsgroups: microsoft.public.dotnet.framework.aspnet.webservices
| > | NNTP-Posting-Host: 66-195-172-195.gen.twtelecom.net 66.195.172.195
| > | Path:
TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP12.phx.gbl
| > | Xref: TK2MSFTNGXA01.phx.gbl
| > microsoft.public.dotnet.framework.aspnet.webservices:7786
| > | X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet.webservices
| > |
| > | Hi All,
| > |
| > | I have a web service [1] that runs under its own IIS Application
Pool
| > with
| > | the identity of a specific domain account. The web service [1] is
setup
| > for
| > | windows authentication only.
| > |
| > | Within my web method I require the caller to be a member of a
specific
| > | domain group using the PriciplePermission attribute. It appears
that
my
| > web
| > | service [1] is assuming the identity of the caller. The behavior
that I
| > | want is for the web method to verify the identity of the caller
while
| > | keeping the identity of the application pool
| > |
| > | From within my web method I make a call to another web service [2]
which
| > | employs the same security methods except requiring the caller to be
a
| > member
| > | of a different domain group. The application pool for my web
service
| > [1]
| > is
| > | a member of the group required by web service [2].
| > |
| > | What do I need to do to get this to work the way I want?
| > |
| > | Thank you for all of your help,
| > |
| > | Marshall
| > |
| > | Here is the code for my web method for web service [1].
| > | [WebMethod]
| > | [PrincipalPermission(SecurityAction.Demand,
| > | Role=@"OPEN\RoleMapWS_Readers")]
| > | public Open.Foundation.RoleMap.User AuthenticateUser(int domainId,
| > string
| > | userName, string password)
| > | {
| > | Open.Foundation.RoleMap.User user = null;
| > |
| > | try
| > | {
| > | Call another web service here
| > | }
| > | catch (Exception ex)
| > | {
| > | throw;
| > | }
| > | finally
| > | {
| > | user = null;
| > | }
| > | }
| > |
| > |
| > |
| > |
| > |
| > |
| >
|
|
|
Click to expand...
 
S

Steven Cheng[MSFT]

You're welcome Marshall,

Have a good weekend!

Steven Cheng
Microsoft Online Support

Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)
--------------------
| From: "Marshall" <[email protected]>
| References: <[email protected]>
<[email protected]>
<[email protected]>
<[email protected]>
| Subject: Re: Web Service Identity
| Date: Thu, 15 Sep 2005 09:06:22 -0400
| Lines: 270
| X-Priority: 3
| X-MSMail-Priority: Normal
| X-Newsreader: Microsoft Outlook Express 6.00.3790.1830
| X-RFC2646: Format=Flowed; Original
| X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.1830
| Message-ID: <[email protected]>
| Newsgroups: microsoft.public.dotnet.framework.aspnet.webservices
| NNTP-Posting-Host: 66-195-172-195.gen.twtelecom.net 66.195.172.195
| Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP14.phx.gbl
| Xref: TK2MSFTNGXA01.phx.gbl
microsoft.public.dotnet.framework.aspnet.webservices:7800
| X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet.webservices
|
| Thank you very much Steve!
|
| I really appreciate all of your help. I got it working. One thing I
messed
| up on within the web.config of webservice B is I had authentication set
to
| 'none'. When I added your code to set the credentials and changed the
| authentication to ' windows', everthing worked just the way I wanted it
to.
|
| Thanks again,
|
| Marshall
|
| | > Hi Marshall,
| >
| > Thanks for your response. So you means the webserviceA has passed its
| > client's credential to the webserviceB? Seems a bit strange, have you
| > turned on impersonate in web.config of webservice A? Based on my
| > experience, when calling webservice through clientside proxy, we need to
| > use the proxy.Credentials to pass our user credential. And in
webserviceA,
| > we can use the System.Net.CredentialsCache.DefaultCredentials like:
| >
| > DocService.DocService ds = new DemoWebApp.DocService.DocService();
| > ds.Credentials = System.Net.CredentialCache.DefaultCredentials;
| >
| > and this will use the asp.net process identity by default (if
impersonate
| > is not being used).
| >
| > So please have a check in the webservice A to see whether it has used
| > impersonate. Also, in webserviceB, you can use some code to printout the
| > currently client side credential and thread principle as below:
| >
| > string str = null;
| >
| > str = string.Format("<br/>context user: {0}, <br/>thread user: {1}",
| > HttpContext.Current.User.Identity.Name,
| > System.Threading.Thread.CurrentPrincipal.Identity.Name);
| >
| > Thanks,
| >
| > Steven Cheng
| > Microsoft Online Support
| >
| > Get Secure! www.microsoft.com/security
| > (This posting is provided "AS IS", with no warranties, and confers no
| > rights.)
| >
| > --------------------
| > | From: "Marshall" <[email protected]>
| > | References: <[email protected]>
| > <[email protected]>
| > | Subject: Re: Web Service Identity
| > | Date: Wed, 14 Sep 2005 08:40:32 -0400
| > | Lines: 168
| > | X-Priority: 3
| > | X-MSMail-Priority: Normal
| > | X-Newsreader: Microsoft Outlook Express 6.00.3790.1830
| > | X-RFC2646: Format=Flowed; Original
| > | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.1830
| > | Message-ID: <[email protected]>
| > | Newsgroups: microsoft.public.dotnet.framework.aspnet.webservices
| > | NNTP-Posting-Host: 66-195-172-195.gen.twtelecom.net 66.195.172.195
| > | Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP14.phx.gbl
| > | Xref: TK2MSFTNGXA01.phx.gbl
| > microsoft.public.dotnet.framework.aspnet.webservices:7794
| > | X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet.webservices
| > |
| > | Thanks for your help, Steve.
| > |
| > | Your description of the problem is not totally true.
| > |
| > | Here is your updated description:
| > | From your description, you're using integrated windows authentication
in
| > IIS
| > | for webservice A so as to get the clientside user's windows
crediential
| > in
| > | asp.net webservice. And you'll do some Role checking in webmethods.
| > Also,
| > | since the webservice A need to call another remote webservice B which
| > | require a certain domain account/role, so you configured the
application
| > | pool identity for webservice A under a certain domain account. --
| > Correct.
| > |
| > | However, I found that when I pass credientials to webservice A, it
| > assumes
| > | the identity of the credentials I passed in. So when webservice A
make
| > a
| > | call to webservice B, webservice B receives the credentials I passed
| > into
| > | webservice A.
| > |
| > | What I want to happen is:
| > | I pass credentials into webservice A and the credentials are verified.
| > When
| > | webservice A makes the call to webservice B, webservice B should
| > | automatically recieve, as its credentials, the identity of webservice
| > A's
| > | application pool.
| > |
| > | The client passes its credentials to webservice A via:
| > | roleMapWS.Credentials = new NetworkCredential(userName, password,
| > domain);
| > |
| > |
| > | Thank you for the links. I will lookin to them.
| > |
| > | Thanks again,
| > |
| > | Marshall
| > |
| > | | > | > Hi Marshall,
| > | >
| > | > Welcome to ASPNET newsgroup.
| > | > From your description, you're using integrated windows
authentication
| > in
| > | > IIS for webservice A so as to get the clientside user's windows
| > | > crediential
| > | > in asp.net webservice. And you'll do some Role checking in
webmethods.
| > | > Also, since the webservice A need to call another remote webservice
B
| > | > which
| > | > require a certain domain account/role, so you configured the
| > application
| > | > pool identity for webservice A under a certain domain account.
| > However,
| > | > you
| > | > found the PrinciplePermission attribute in webservice A's method
| > dosn't
| > | > validate the clientside user , but the application pool's identity
,
| > yes?
| > | >
| > | > As for this problem, it is because the .NET's Secuirty
| > PrinciplePermission
| > | > check is based on the currently running process/thread's security
| > context.
| > | > So for asp.net , if we're not using impersonate, the
| > PrinciplePermission's
| > | > assert will be made on the default process account(application
pool's
| > | > identity) rather than the clientside user's identity. The clientside
| > | > user's
| > | > identity is held in the HttpContext.Current.User.Identity proerpty.
| > | >
| > | > So for your scenario, I think we have the following two options:
| > | >
| > | > 1. Still use the PrinciplePermission to do the role checking,
however,
| > we
| > | > need to programmatically call impersonate to impersonate the
| > clientuser
| > | > before entering the method where we do the checking and revert back
to
| > | > process identitty after the method call.
| > | >
| > | > #How to implement impersonation in an ASP.NET application
| > | > http://support.microsoft.com/default.aspx?scid=kb;en-us;306158
| > | >
| > | > 2. Still not use impersonate, however , we need to manually call
| > | >
| > | > HttpContext.Current.User.IsInRole(...)
| > | >
| > | > to check the clientuser's roles instead of using
PrinciplePermission.
| > | >
| > | > If you have anything unclear, please feel free to post here. Thanks,
| > | >
| > | > Steven Cheng
| > | > Microsoft Online Support
| > | >
| > | > Get Secure! www.microsoft.com/security
| > | > (This posting is provided "AS IS", with no warranties, and confers
no
| > | > rights.)
| > | >
| > | >
| > | >
| > | >
| > | >
| > | >
| > | >
| > | > --------------------
| > | > | From: "Marshall" <[email protected]>
| > | > | Subject: Web Service Identity
| > | > | Date: Tue, 13 Sep 2005 16:02:49 -0400
| > | > | Lines: 50
| > | > | X-Priority: 3
| > | > | X-MSMail-Priority: Normal
| > | > | X-Newsreader: Microsoft Outlook Express 6.00.3790.1830
| > | > | X-RFC2646: Format=Flowed; Original
| > | > | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.1830
| > | > | Message-ID: <[email protected]>
| > | > | Newsgroups: microsoft.public.dotnet.framework.aspnet.webservices
| > | > | NNTP-Posting-Host: 66-195-172-195.gen.twtelecom.net 66.195.172.195
| > | > | Path:
| > TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP12.phx.gbl
| > | > | Xref: TK2MSFTNGXA01.phx.gbl
| > | > microsoft.public.dotnet.framework.aspnet.webservices:7786
| > | > | X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet.webservices
| > | > |
| > | > | Hi All,
| > | > |
| > | > | I have a web service [1] that runs under its own IIS Application
| > Pool
| > | > with
| > | > | the identity of a specific domain account. The web service [1] is
| > setup
| > | > for
| > | > | windows authentication only.
| > | > |
| > | > | Within my web method I require the caller to be a member of a
| > specific
| > | > | domain group using the PriciplePermission attribute. It appears
| > that
| > my
| > | > web
| > | > | service [1] is assuming the identity of the caller. The behavior
| > that I
| > | > | want is for the web method to verify the identity of the caller
| > while
| > | > | keeping the identity of the application pool
| > | > |
| > | > | From within my web method I make a call to another web service [2]
| > which
| > | > | employs the same security methods except requiring the caller to
be
| > a
| > | > member
| > | > | of a different domain group. The application pool for my web
| > service
| > | > [1]
| > | > is
| > | > | a member of the group required by web service [2].
| > | > |
| > | > | What do I need to do to get this to work the way I want?
| > | > |
| > | > | Thank you for all of your help,
| > | > |
| > | > | Marshall
| > | > |
| > | > | Here is the code for my web method for web service [1].
| > | > | [WebMethod]
| > | > | [PrincipalPermission(SecurityAction.Demand,
| > | > | Role=@"OPEN\RoleMapWS_Readers")]
| > | > | public Open.Foundation.RoleMap.User AuthenticateUser(int
domainId,
| > | > string
| > | > | userName, string password)
| > | > | {
| > | > | Open.Foundation.RoleMap.User user = null;
| > | > |
| > | > | try
| > | > | {
| > | > | Call another web service here
| > | > | }
| > | > | catch (Exception ex)
| > | > | {
| > | > | throw;
| > | > | }
| > | > | finally
| > | > | {
| > | > | user = null;
| > | > | }
| > | > | }
| > | > |
| > | > |
| > | > |
| > | > |
| > | > |
| > | > |
| > | >
| > |
| > |
| > |
| >
|
|
|
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Pass through Windows Identity to Web Service 2
Recommended way to pass identity to web service 7
Web Site 1
refresh web service remotely 0
Passing Identity to another Thread and then to Web Service 0
HELP! Changed Application Pool Identity Service Unavailable 3
ASP.Net authentication problem to WCF service on Server 2008 0
New coder with a focus on animating web banners 0

Members online

No members online now.
Total: 29 (members: 0, guests: 29)
Robots: 351

Forum statistics

Threads
473,769
Messages
2,569,582
Members
45,062
Latest member
OrderKetozenseACV

Latest Threads

Top