WS-Security vs. IIS authentication and trust boundaries

Discussion in 'ASP .Net Security' started by Morten Overgaard, Mar 5, 2005.

  1. Hi Sirs.

    When using WS-Security instead of IIS authentication I see a potential
    problem letting ALL people access my webService. ie. if I have a little bug
    in the code that checks for validity of the user I'm really exposing
    my-self.

    If using IIS authentication I'm sure that only IIS authenticated users are
    allowed access to my webService. So doesen't WS-Security and IIS security
    come hand in hand or am I missing something here.?


    Regards Morten
    Morten Overgaard, Mar 5, 2005
    #1
    1. Advertising

  2. Morten Overgaard

    WJ Guest

    "Morten Overgaard" <> wrote in message
    news:...
    > If using IIS authentication I'm sure that only IIS authenticated users are
    > allowed access to my webService. So doesen't WS-Security and IIS security
    > come hand in hand or am I missing something here.?
    >


    Assume that you are using Microsoft technology then yes, A Webservice is
    controlled by MS/UDDI server, which is IIS-6. You can then treat or
    configure your webservice security requirements just like an ordinary web
    application under IIS-6 server.

    John
    WJ, Mar 5, 2005
    #2
    1. Advertising

  3. WS-Security (and all the Ws-* standards) are bigger than just Microsoft.
    Integrated security is fine when talking windows to windows in your
    intranet. Making a standard security mechanism for your web service on the
    wider internet is another kettle of fish. WS-Security also has a lot more
    flexibility in terms of customisation than IIS does.

    --

    - Paul Glavich
    ASP.NET MVP
    ASPInsider (www.aspinsiders.com)


    "Morten Overgaard" <> wrote in message
    news:...
    > Hi Sirs.
    >
    > When using WS-Security instead of IIS authentication I see a potential
    > problem letting ALL people access my webService. ie. if I have a little

    bug
    > in the code that checks for validity of the user I'm really exposing
    > my-self.
    >
    > If using IIS authentication I'm sure that only IIS authenticated users are
    > allowed access to my webService. So doesen't WS-Security and IIS security
    > come hand in hand or am I missing something here.?
    >
    >
    > Regards Morten
    >
    >
    Paul Glavich [MVP ASP.NET], Mar 10, 2005
    #3
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Carl Gilbert

    Security/Trust Level on Web Application

    Carl Gilbert, Jul 15, 2005, in forum: ASP .Net
    Replies:
    0
    Views:
    468
    Carl Gilbert
    Jul 15, 2005
  2. Replies:
    1
    Views:
    973
  3. Dinis Cruz
    Replies:
    2
    Views:
    321
    Dinis Cruz
    Oct 20, 2003
  4. Linda
    Replies:
    1
    Views:
    544
    Dominick Baier
    Aug 31, 2006
  5. Shahar Nechmad

    EnterpriseLibrary.Security and medium trust level

    Shahar Nechmad, Oct 18, 2006, in forum: ASP .Net Security
    Replies:
    0
    Views:
    157
    Shahar Nechmad
    Oct 18, 2006
Loading...

Share This Page