How to call Web Service Securely

[va]

I love Web Apps in ASP.NET 2.0 because you can easily deny users access to
pages by role or user.

But for desktop client to webservice methods, I am not sure what to do....

I am looking for the simplest and safest method or pattern to have my
Desktop client be able to call a web services securely.

Assume my webservice proxy has 15 methods. By securely, I want the Client
desktop app to pass some kind of simple username/password token -- something
- but not in plain text - so that acces to the web call either immediately
succeeds or fails. I don't know where to start - what is the simplest and
easiest way to accomplish this and maintain it.
Thanks for any simple answers.

 

[Dominick Baier [DevelopMentor]]

Hi,

you can use IIS/integrated auth with SSL or WS:Security

Does your user have a Windows account? if yes you could simply use integrated/basic/digest
over SSL

If you want some kind of custom authentication scheme - you could handroll
it using headers or have a look at UsernameTokens in WSE3 which is a standard
implementation of passing identity information with SOAP packets.

ping me if you need more help

 

[va]

Dominick,

I looked at handrolling WS* but the problem I had was I didn't like having
to hardcode lookups on the server side - I was just hoping I could create
some token on the desktop side and when making the call it the service's
method woul allow or disallow.


The design is a stand-alone exe (could be on your machine) needs to make a
web method via dialup to my IIS Web Service.

I can create a User Account on the IIS server but not on the user's desktop
- the networks are unrelated. I can create my own logon screen locally of
course to get the userid and password I'll need to somehow to receive on the
other side.

Is there a way I can create a token from that userid/password and use
integrated security without having to have the standard windows login scrdeen
popoup each method call?

 

[Dominick Baier [DevelopMentor]]

Hi,

ok - as i said - you have two options:

--- #1 you create Windows users for your client on the IIS machine

you could provide a logon screen in the client app and create a NetworkCredential
from that - then use SSL and basic auth to access the web service


--- #2 you don't want the user accounts in Windows but rather some database

you could handroll some headers or use WSE (e.g. if you can't use SSL) -
you would have to provide your own authorization architecture then -

WSE3 is the first version which supports an <authorization> element for security
tokens - but that is tied to .NET 2.0


so i guess the easiest option might be #1

 

[va]

Thanks. Maybe I am complicating WSE too much - can you point me to a simple
example of WSE used with a WebMethod?

 

[Dominick Baier [DevelopMentor]]

which .net version - which type of authentication (username/password against
a db??)

 

[va]

Thanks

 

[hulinning]

Hi Dominick

What if my client application is a WinCE device, and my webservice is using
Integrate Windows Authentication mode, then what do I need to pass to my
webservice in order to authenticate.

Can I get user account from WinCE device without asking user to provide
login/password to send to webservice?

 

[Dominick Baier [DevelopMentor]]

Hi,

prolly not...

but i am not a WinCE expert (in fact i never touched such a device) -sorry.