WS-Security Best Practice?

Discussion in 'ASP .Net Web Services' started by Brian Greiwe, Jan 29, 2004.

  1. Brian Greiwe

    Brian Greiwe Guest

    I'm new to Webservices, but nonetheless have taken the leap!

    I have a ws I'm writing that will be used in a subscription. Nothing
    huge or confidential. The client will pass in standard parms and get
    back a data string. There is no need for the return value to be
    encrypted/protected/etc, as it does not contain any private data.

    However, I want to ensure that the caller has priveleges to the
    service...based on a subscription. Basically, I want to verify the
    caller is who they say they are, and preferable make it so they can't
    simply give away their username and password to a buddy and in essence
    giving someone else a free subscription.

    Any advice on the best approach here? I've read many blogs, postings,
    and white papers...from custom made db security to WS-Security, to WSE
    2.0. I'm looking for the best performance and cost effective
    solution.

    Any input and advice is welcomed!!!

    Thanks,
    Brian
     
    Brian Greiwe, Jan 29, 2004
    #1
    1. Advertising

  2. Brian Greiwe

    Jan Tielens Guest

    Do you want to use your web service in a intranet, or through the internet?
    The easiest solution is using integrated Windows authentication, but it will
    only work in an intranet envirionment.

    --
    Greetz

    Jan Tielens
    ________________________________
    Read my weblog: http://weblogs.asp.net/jan


    "Brian Greiwe" <> wrote in message
    news:...
    > I'm new to Webservices, but nonetheless have taken the leap!
    >
    > I have a ws I'm writing that will be used in a subscription. Nothing
    > huge or confidential. The client will pass in standard parms and get
    > back a data string. There is no need for the return value to be
    > encrypted/protected/etc, as it does not contain any private data.
    >
    > However, I want to ensure that the caller has priveleges to the
    > service...based on a subscription. Basically, I want to verify the
    > caller is who they say they are, and preferable make it so they can't
    > simply give away their username and password to a buddy and in essence
    > giving someone else a free subscription.
    >
    > Any advice on the best approach here? I've read many blogs, postings,
    > and white papers...from custom made db security to WS-Security, to WSE
    > 2.0. I'm looking for the best performance and cost effective
    > solution.
    >
    > Any input and advice is welcomed!!!
    >
    > Thanks,
    > Brian
     
    Jan Tielens, Jan 30, 2004
    #2
    1. Advertising

  3. Brian Greiwe

    Brian Greiwe Guest

    This is intended to be provided over the internet on a subscription
    basis. So, no not intranet, which I guess rules out Windows
    Authentication.

    "Jan Tielens" <> wrote in message news:<>...
    > Do you want to use your web service in a intranet, or through the internet?
    > The easiest solution is using integrated Windows authentication, but it will
    > only work in an intranet envirionment.
    >
    > --
    > Greetz
    >
    > Jan Tielens
    > ________________________________
    > Read my weblog: http://weblogs.asp.net/jan
    >
    >
    > "Brian Greiwe" <> wrote in message
    > news:...
    > > I'm new to Webservices, but nonetheless have taken the leap!
    > >
    > > I have a ws I'm writing that will be used in a subscription. Nothing
    > > huge or confidential. The client will pass in standard parms and get
    > > back a data string. There is no need for the return value to be
    > > encrypted/protected/etc, as it does not contain any private data.
    > >
    > > However, I want to ensure that the caller has priveleges to the
    > > service...based on a subscription. Basically, I want to verify the
    > > caller is who they say they are, and preferable make it so they can't
    > > simply give away their username and password to a buddy and in essence
    > > giving someone else a free subscription.
    > >
    > > Any advice on the best approach here? I've read many blogs, postings,
    > > and white papers...from custom made db security to WS-Security, to WSE
    > > 2.0. I'm looking for the best performance and cost effective
    > > solution.
    > >
    > > Any input and advice is welcomed!!!
    > >
    > > Thanks,
    > > Brian
     
    Brian Greiwe, Jan 30, 2004
    #3
  4. Brian Greiwe

    Jan Tielens Guest

    A common used solution is to put a username/password (or ticket) in the soap
    header. Here are some links:

    http://www.codeproject.com/cs/webservices/authforwebservices.asp#xx561031xx

    http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnservice/html/service06182002.asp



    --
    Greetz,
    Jan
    __________________________________
    Read my weblog: http://weblogs.asp.net/jan
    "Brian Greiwe" <> schreef in bericht
    news:...
    > This is intended to be provided over the internet on a subscription
    > basis. So, no not intranet, which I guess rules out Windows
    > Authentication.
    >
    > "Jan Tielens" <> wrote in message

    news:<>...
    > > Do you want to use your web service in a intranet, or through the

    internet?
    > > The easiest solution is using integrated Windows authentication, but it

    will
    > > only work in an intranet envirionment.
    > >
    > > --
    > > Greetz
    > >
    > > Jan Tielens
    > > ________________________________
    > > Read my weblog: http://weblogs.asp.net/jan
    > >
    > >
    > > "Brian Greiwe" <> wrote in message
    > > news:...
    > > > I'm new to Webservices, but nonetheless have taken the leap!
    > > >
    > > > I have a ws I'm writing that will be used in a subscription. Nothing
    > > > huge or confidential. The client will pass in standard parms and get
    > > > back a data string. There is no need for the return value to be
    > > > encrypted/protected/etc, as it does not contain any private data.
    > > >
    > > > However, I want to ensure that the caller has priveleges to the
    > > > service...based on a subscription. Basically, I want to verify the
    > > > caller is who they say they are, and preferable make it so they can't
    > > > simply give away their username and password to a buddy and in essence
    > > > giving someone else a free subscription.
    > > >
    > > > Any advice on the best approach here? I've read many blogs, postings,
    > > > and white papers...from custom made db security to WS-Security, to WSE
    > > > 2.0. I'm looking for the best performance and cost effective
    > > > solution.
    > > >
    > > > Any input and advice is welcomed!!!
    > > >
    > > > Thanks,
    > > > Brian
     
    Jan Tielens, Jan 31, 2004
    #4
  5. Brian Greiwe

    Brian Greiwe Guest

    Jan -

    Thanks for all the information. I've begun implementing the SOAP
    headers and it makes sense, however, it is obvious that users could
    simply pass off their usernames and passwords to others and then
    "foil" the subscription. Is there a way to validate the origin? Say
    capturing the IP address or anything?

    Thanks,
    Brian
     
    Brian Greiwe, Feb 5, 2004
    #5
  6. Brian Greiwe

    Jan Tielens Guest

    Sure you can get the IP address of the computer that is calling.
    this.Context.Request.ServerVariables["REMOTE_ADDR"]

    Or you could use client and server side certificates to make it even more
    secure. :)

    --
    Greetz

    Jan Tielens
    ________________________________
    Read my weblog: http://weblogs.asp.net/jan


    "Brian Greiwe" <> wrote in message
    news:...
    > Jan -
    >
    > Thanks for all the information. I've begun implementing the SOAP
    > headers and it makes sense, however, it is obvious that users could
    > simply pass off their usernames and passwords to others and then
    > "foil" the subscription. Is there a way to validate the origin? Say
    > capturing the IP address or anything?
    >
    > Thanks,
    > Brian
     
    Jan Tielens, Feb 6, 2004
    #6
  7. Brian Greiwe

    Brian Greiwe Guest

    Jan -

    Thanks again for the help.

    I just read your article on MSDN on throwing Soap exceptions, so I
    wanted to tie that into my validation.

    Right now, my validation method (AuthenticateCall) has dual levels of
    try/catch (one for the exception and one for the SOAP).

    Since AuthenticateCall will be called from within each web method, do
    I need to remove the SOAP exception from within the AuthenticateCall
    and trap it at the top level? Or keep it there and mimic it again at
    the top level call? I just wante do make sure that I can pass back
    any appropriate messages for failures (first for authentication, and
    secondly for any actual method/data failure).

    thanks,
    Brian

    "Jan Tielens" <> wrote in message news:<>...
    > Sure you can get the IP address of the computer that is calling.
    > this.Context.Request.ServerVariables["REMOTE_ADDR"]
    >
    > Or you could use client and server side certificates to make it even more
    > secure. :)
    >
    > --
    > Greetz
    >
    > Jan Tielens
    > ________________________________
    > Read my weblog: http://weblogs.asp.net/jan
    >
    >
    > "Brian Greiwe" <> wrote in message
    > news:...
    > > Jan -
    > >
    > > Thanks for all the information. I've begun implementing the SOAP
    > > headers and it makes sense, however, it is obvious that users could
    > > simply pass off their usernames and passwords to others and then
    > > "foil" the subscription. Is there a way to validate the origin? Say
    > > capturing the IP address or anything?
    > >
    > > Thanks,
    > > Brian
     
    Brian Greiwe, Feb 9, 2004
    #7
  8. Brian Greiwe

    Brian Greiwe Guest

    Never mind - answered my own question. Thanks though!

    (Brian Greiwe) wrote in message news:<>...
    > Jan -
    >
    > Thanks again for the help.
    >
    > I just read your article on MSDN on throwing Soap exceptions, so I
    > wanted to tie that into my validation.
    >
    > Right now, my validation method (AuthenticateCall) has dual levels of
    > try/catch (one for the exception and one for the SOAP).
    >
    > Since AuthenticateCall will be called from within each web method, do
    > I need to remove the SOAP exception from within the AuthenticateCall
    > and trap it at the top level? Or keep it there and mimic it again at
    > the top level call? I just wante do make sure that I can pass back
    > any appropriate messages for failures (first for authentication, and
    > secondly for any actual method/data failure).
    >
    > thanks,
    > Brian
    >
    > "Jan Tielens" <> wrote in message news:<>...
    > > Sure you can get the IP address of the computer that is calling.
    > > this.Context.Request.ServerVariables["REMOTE_ADDR"]
    > >
    > > Or you could use client and server side certificates to make it even more
    > > secure. :)
    > >
    > > --
    > > Greetz
    > >
    > > Jan Tielens
    > > ________________________________
    > > Read my weblog: http://weblogs.asp.net/jan
    > >
    > >
    > > "Brian Greiwe" <> wrote in message
    > > news:...
    > > > Jan -
    > > >
    > > > Thanks for all the information. I've begun implementing the SOAP
    > > > headers and it makes sense, however, it is obvious that users could
    > > > simply pass off their usernames and passwords to others and then
    > > > "foil" the subscription. Is there a way to validate the origin? Say
    > > > capturing the IP address or anything?
    > > >
    > > > Thanks,
    > > > Brian
     
    Brian Greiwe, Feb 10, 2004
    #8
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Anders K. Jacobsen [DK]

    "Pattern" or "best practice" in security checks

    Anders K. Jacobsen [DK], Dec 5, 2004, in forum: ASP .Net
    Replies:
    1
    Views:
    356
    Johann MacDonagh
    Dec 6, 2004
  2. Patrick.O.Ige
    Replies:
    0
    Views:
    403
    Patrick.O.Ige
    Sep 30, 2005
  3. Steve B.

    Best Practice Security

    Steve B., Jan 25, 2006, in forum: ASP .Net
    Replies:
    1
    Views:
    525
    =?Utf-8?B?RGFsZQ==?=
    Jan 26, 2006
  4. Anders K. Jacobsen [DK]

    "Pattern" or "best practice" in security checks

    Anders K. Jacobsen [DK], Dec 5, 2004, in forum: ASP .Net Security
    Replies:
    0
    Views:
    151
    Anders K. Jacobsen [DK]
    Dec 5, 2004
  5. naijacoder naijacoder

    best practice with intranet security and menu structure

    naijacoder naijacoder, Oct 1, 2005, in forum: ASP .Net Security
    Replies:
    0
    Views:
    126
    naijacoder naijacoder
    Oct 1, 2005
Loading...

Share This Page