Re: How to call Web Service Securely
- From: Dominick Baier [DevelopMentor] <dbaier@xxxxxxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Fri, 10 Feb 2006 13:07:56 +0000 (UTC)
Hi,
ok - as i said - you have two options:
--- #1 you create Windows users for your client on the IIS machine
you could provide a logon screen in the client app and create a NetworkCredential from that - then use SSL and basic auth to access the web service
--- #2 you don't want the user accounts in Windows but rather some database
you could handroll some headers or use WSE (e.g. if you can't use SSL) - you would have to provide your own authorization architecture then -
WSE3 is the first version which supports an <authorization> element for security tokens - but that is tied to .NET 2.0
so i guess the easiest option might be #1
---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com
Dominick,
I looked at handrolling WS* but the problem I had was I didn't like
having to hardcode lookups on the server side - I was just hoping I
could create some token on the desktop side and when making the call
it the service's method woul allow or disallow.
The design is a stand-alone exe (could be on your machine) needs to
make a web method via dialup to my IIS Web Service.
I can create a User Account on the IIS server but not on the user's
desktop - the networks are unrelated. I can create my own logon
screen locally of course to get the userid and password I'll need to
somehow to receive on the other side.
Is there a way I can create a token from that userid/password and use
integrated security without having to have the standard windows login
scrdeen popoup each method call?
"Dominick Baier [DevelopMentor]" wrote:
Hi,
you can use IIS/integrated auth with SSL or WS:Security
Does your user have a Windows account? if yes you could simply use
integrated/basic/digest over SSL
If you want some kind of custom authentication scheme - you could
handroll it using headers or have a look at UsernameTokens in WSE3
which is a standard implementation of passing identity information
with SOAP packets.
ping me if you need more help
---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com
I love Web Apps in ASP.NET 2.0 because you can easily deny users
access to pages by role or user.
But for desktop client to webservice methods, I am not sure what to
do....
I am looking for the simplest and safest method or pattern to have
my Desktop client be able to call a web services securely.
Assume my webservice proxy has 15 methods. By securely, I want the
Client
desktop app to pass some kind of simple username/password token --
something
- but not in plain text - so that acces to the web call either
immediately
succeeds or fails. I don't know where to start - what is the
simplest and
easiest way to accomplish this and maintain it.
Thanks for any simple answers.
.
- Follow-Ups:
- Re: How to call Web Service Securely
- From: va
- Re: How to call Web Service Securely
- Prev by Date: Re: How to call Web Service Securely
- Next by Date: Re: How to call Web Service Securely
- Previous by thread: Re: How to call Web Service Securely
- Next by thread: Re: How to call Web Service Securely
- Index(es):
Relevant Pages
|
