web service restrict clients, custom authentication

Discussion in 'ASP .Net Web Services' started by fred00@gmail.com, Dec 30, 2005.

  1. Guest

    I want to restrict access to my web service to only approved client
    applications.

    This has to be done from inside the web service, so Windows
    Authentication is not an option.

    I would like to allow the possibility of non windows clients, so I am
    not sure if any of WS Security is an option. I am pretty sure I will
    have to implement a custom authentication.

    My first thought was to have the client possess a public key which will
    be used to encrypt some data and send it to the web service. If the web
    service can decrypt it with it's private key, the client can be assumed
    to be authenticated+authorized (also depending on the content of the
    encrypted data).

    The drawback to this, is each client will need to have the public key
    compiled in, and kept secret. I know this is bad form, but in any
    senario, won't the client be required to have some form of
    authentication compiled into it?

    Unless there is some complicated agorithm that could generate a unique
    string that the web service could verify that the string was generated
    by the algorithm?

    There has to be some secure method of doing this, but all the .NET docs
    really focus on windows authentication. Does anyone have any input?
    , Dec 30, 2005
    #1
    1. Advertising

  2. Maybe you could use client certificates and define different policies in the
    web service.

    "" wrote:

    > I want to restrict access to my web service to only approved client
    > applications.
    >
    > This has to be done from inside the web service, so Windows
    > Authentication is not an option.
    >
    > I would like to allow the possibility of non windows clients, so I am
    > not sure if any of WS Security is an option. I am pretty sure I will
    > have to implement a custom authentication.
    >
    > My first thought was to have the client possess a public key which will
    > be used to encrypt some data and send it to the web service. If the web
    > service can decrypt it with it's private key, the client can be assumed
    > to be authenticated+authorized (also depending on the content of the
    > encrypted data).
    >
    > The drawback to this, is each client will need to have the public key
    > compiled in, and kept secret. I know this is bad form, but in any
    > senario, won't the client be required to have some form of
    > authentication compiled into it?
    >
    > Unless there is some complicated agorithm that could generate a unique
    > string that the web service could verify that the string was generated
    > by the algorithm?
    >
    > There has to be some secure method of doing this, but all the .NET docs
    > really focus on windows authentication. Does anyone have any input?
    >
    >
    Rodrigo García, Jan 4, 2006
    #2
    1. Advertising

  3. The method you described is (at least) vulnearable against the "replay
    attacks". I'm at the same boat, pal. Please let me know if you find
    anything special on the subject.

    Cheers,
    Mehdi
    mehdi_mousavi, Jan 5, 2006
    #3
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Francesco
    Replies:
    1
    Views:
    513
    =?ISO-8859-1?Q?Arne_Vajh=F8j?=
    Dec 27, 2006
  2. Replies:
    1
    Views:
    223
    Joe Kaplan \(MVP - ADSI\)
    Jun 14, 2006
  3. Athen
    Replies:
    2
    Views:
    191
    Athen
    Aug 11, 2004
  4. Doug Holland

    Web Service Clients without Web References

    Doug Holland, Nov 23, 2004, in forum: ASP .Net Web Services
    Replies:
    4
    Views:
    182
    Dan Rogers
    Nov 24, 2004
  5. Replies:
    3
    Views:
    356
Loading...

Share This Page