WS-Security vs. IIS authentication

  • Thread starter Morten Overgaard
  • Start date
M

Morten Overgaard

Hi Sirs.

When using WS-Security instead of IIS authentication I see a potential
problem letting ALL people access my webService. ie. if I have a little bug
in the code that checks for validity of the user I'm really exposing
my-self.

If using IIS authentication I'm sure that only IIS authenticated users are
allowed access to my webService. So doesen't WS-Security and IIS security
come hand in hand or am I missing something here.?


Regards Morten
 
P

Pete Wood

A good point. I think the difference is that WS-Security merely provides
the "framework" for performing authorisation, the **actual** check (eg.
UsenameToken) is done somewhere else - against an LDAP, IIS - so you do have
to assume that you use your LDAP API etc correctly so as not to expose your
entire enterprise - but that is true for any security policy. WS-Security
merely provides a standard way of exposing which ever way you have chosen to
implement security.

I hope that helps...
http://www.webserviceshelp.org/wsh/Overview+of+WS-Security.htm
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

WS-Security vs. IIS authentication and trust boundaries 2
wcf: How to use wsHttpBinding under IIS6 when anonymous authentication not allowed 1
WS Security Header (WSE 2) 4
JAX-WS and Security 0
Windows Authentication problems 0
Difference between accessing WS using host name and IP address 0
VB 6 Client (Soap Toolkit) with WS on IIS 6.0 authentication problems 1
windows authentication (webservice security) 1

Members online

No members online now.
Total: 23 (members: 0, guests: 23)
Robots: 404

Forum statistics

Threads
473,770
Messages
2,569,584
Members
45,075
Latest member
MakersCBDBloodSupport

Latest Threads

Top