X509 and UserName/Pass in SOAP header?

Discussion in 'ASP .Net Web Services' started by cootmonster, Mar 15, 2007.

  1. cootmonster

    cootmonster Guest

    planning on using a X509 cert to validate that a business client is who they
    say they are. After we authenticate client, then we need a username and
    password to authorize users permissions. Should we store this in the SOAP
    header or just as part of the XML message structure?
    cootmonster, Mar 15, 2007
    #1
    1. Advertising

  2. I am missing something here.

    You are using X.509 certs and then having login information? Are you not
    issuing individual certs to each client/user? The only potential I can think
    of that makes sense is distributed security (each app has same user base?).
    If so, move the user base to its own service and link it to the X.509 there.
    You can then call the service to identify the user. Yes, this slows things
    down a bit, but SOA is about reuse more than performance (although the
    latency is not generally that bad if these are all internal apps and the
    maintainability shoots through the roof).

    --
    Gregory A. Beamer
    MVP; MCP: +I, SE, SD, DBA

    *********************************************
    Think outside the box!
    *********************************************
    "cootmonster" <> wrote in message
    news:D...
    > planning on using a X509 cert to validate that a business client is who
    > they
    > say they are. After we authenticate client, then we need a username and
    > password to authorize users permissions. Should we store this in the SOAP
    > header or just as part of the XML message structure?
    >
    >
    Cowboy \(Gregory A. Beamer\), Mar 26, 2007
    #2
    1. Advertising

  3. cootmonster

    cootmonster Guest

    The reason for the cert and user/pass I believe is this...

    We are giving the capability of a 3rd party company to interface to our web
    service. They will be distributing their software to their clients. So what
    I thought we would have to do is use a cert to verify that it is from the 3rd
    party software vendor, then use a username/password to authorize the actual
    user on our system.

    Does this make sense or is it overkill?


    "Cowboy (Gregory A. Beamer)" wrote:

    > I am missing something here.
    >
    > You are using X.509 certs and then having login information? Are you not
    > issuing individual certs to each client/user? The only potential I can think
    > of that makes sense is distributed security (each app has same user base?).
    > If so, move the user base to its own service and link it to the X.509 there.
    > You can then call the service to identify the user. Yes, this slows things
    > down a bit, but SOA is about reuse more than performance (although the
    > latency is not generally that bad if these are all internal apps and the
    > maintainability shoots through the roof).
    >
    > --
    > Gregory A. Beamer
    > MVP; MCP: +I, SE, SD, DBA
    >
    > *********************************************
    > Think outside the box!
    > *********************************************
    > "cootmonster" <> wrote in message
    > news:D...
    > > planning on using a X509 cert to validate that a business client is who
    > > they
    > > say they are. After we authenticate client, then we need a username and
    > > password to authorize users permissions. Should we store this in the SOAP
    > > header or just as part of the XML message structure?
    > >
    > >

    >
    >
    cootmonster, Mar 28, 2007
    #3
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. mlt
    Replies:
    2
    Views:
    832
    Jean-Marc Bourguet
    Jan 31, 2009
  2. Shailesh Patel
    Replies:
    0
    Views:
    450
    Shailesh Patel
    Nov 8, 2006
  3. Keyset does not exist X509Certificate

    Keyset does not exist at Microsoft.Web.Services.Security.X509.X509

    Keyset does not exist X509Certificate, Jun 12, 2004, in forum: ASP .Net Web Services
    Replies:
    0
    Views:
    201
    Keyset does not exist X509Certificate
    Jun 12, 2004
  4. Ele
    Replies:
    0
    Views:
    274
  5. Peter van der veen

    How to add SOAP header to a SOAP message?

    Peter van der veen, Nov 8, 2006, in forum: ASP .Net Web Services
    Replies:
    6
    Views:
    581
    J. Dudgeon
    Nov 14, 2006
Loading...

Share This Page