Need advice on security setup

From: HG (hg_at_nospam.websolver.dk)
Date: 02/24/05 

Date: Thu, 24 Feb 2005 10:34:26 +0100

Hi all experts.

I am currently planning a rather large application that will have the
following characteristics:

1)
Business Services layer will be implemented as XML Web Services. I think
service (WSDL) lookup will be done using UDDI, not sure yet, since I can't
really see why I should go for UDDI. Quite OT, but anyone on this?

2)
There will be several "clients" to the service layer. Some of which I
develop, and some of which a 3rd party develop. These clients range from
WinForms (smart) applications and WebForm applications.

3)
Customers running on this solution can have different versions of services
and clients. 90% will run on the same services, but 10% can run on
services/clients providing extra functionality.

4)
The Internet is used as transport medium. Pure Internet, not Intra or
Extranets here.

5)
80% will be on .NET, 20% on J2EE

Why I am asking this is security newsgroup is because:

1)
I need to autenticate if customers has access to a service (and the WSDL)
and which exactly which set of services (versions) they run on. I thought
about using UDDI for this, but maybe I can go for a simpler solution, maybe
file access byt IIS

2)
I need to authenticate each request (I guess so) to my services layer, since
is can be anyone trying to access the service. Maybe by putting the
credentials in the web service request (in each call to a webmethod???),
maybe in SOAP headers, maybe by using WSE 2.0....Is WSE 2.0 interoperable by
other platforms

3)
I need to make sure that the request has not been tampered with on the way
from client to web service. This is "just" pure SSL right?

Thanx in advance for any suggestions... or links that can point me in the
right direction..

Maybe I can issue a client certifcate and then all my trouble is
over...except for managing those d.... certicates on the client.... :-)

Regards

Henrik

http://websolver.blogspot.com

Relevant Pages

  • Re: Events from a web service ?
    ... Perhaps HTTP chunking to get events from web service to ... Or one could issue a GetEvent request to a web service in a separate ... ASP.NET thread pool threads for large number of clients? ...
    (microsoft.public.dotnet.framework.aspnet.webservices)
  • Re: collect web service client ip
    ... > I have created a web service ... > i would now like to capture the clients IP address when a request is ...
    (microsoft.public.dotnet.framework.aspnet.webservices)
  • Re: How do Large Scale Web Service Applications Maintain Session State?
    ... cache these profiles on the server in order to increase performance. ... which is something different than stateful Web Service classes. ... We do pass a session token as ... Having systems deployed through web services allows clients to access via ...
    (microsoft.public.dotnet.framework.webservices)
  • Re: Underlying Connection Was Closed Error
    ... I'm working with remote clients that ... Yeah, Microsoft Network Monitor 3.1, works fine even on Vista) ... a web service on IIS 6.0 via SSL and using X509 Client Certificates. ... ....If Not userProxy Is Nothing Then ...
    (microsoft.public.dotnet.framework.webservices)
  • Re: DataTable returned from a Web Service
    ... Most of my clients are .NET, in fact one is a VB6 client and I was able to convert a DataTable within a DataSet to a classic ADO Recordset and works perfectly. ... Funny thing is that with my VB6 client I can use the web service function that returns a DataTable but not my 'new' .Net clients. ... when using VS 2005 or VB.Net 2005 Express and creating a web references is ...
    (microsoft.public.dotnet.framework.webservices)