Re: Security design question
- From: "Joe Kaplan \(MVP - ADSI\)" <joseph.e.kaplan@xxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Wed, 19 Apr 2006 16:59:30 -0500
The only thing that I'm aware of that is relatively standard across toolkits
is something transport level like HTTP Basic authentication. This is also
probably fine fine from a security perspective when combined with SSL.
You then have to decide if you want to implement a trusted subsystem or a
delegated model. A trusted subsystem essentially uses fixed service
accounts from the web service client side to access the web services. If
the front of the web service client will take requests from many different
clients, it is responsible for providing any intermediary security to the
web service.
In a delegated model, you would essentially take the credentials of the
authenticated user and pass them through the web application tier to the web
service tier, which would then apply security rules directly to the user.
Both approaches have their advantanges and disadvantages.
Joe K.
"Jeremy Chapman" <please@Idontlikespam> wrote in message
news:eSVvql$YGHA.4944@xxxxxxxxxxxxxxxxxxxxxxx
I am in search of some suggestions regarding how I should emplement
security in a system being developed.
System architecture:
A web application is exposed to the internet. Behind a firewall is a
series of web services. The web services communicate with a SQL server
2000 database through stored procedures. Users access the web application
over an SSL connection, and the web application accesses the web services
over an SSL connection. We limit access to the web application through
forms authentication.
My design dilemna:
There should be some authentication mechanism between the web application
and the web services. In the future we may develop other applications or
allow other vendors to use our web services. So my question is, are there
recommended ways to authenticate an application to a web service?
I'm not inclined to use WSE because I'm not aware of toolkits for much
beyond .net development and we want a relatively easy method of using the
web services with technologies other than .net.
I am searching for some sort of standard mechanism that can be relatively
easily implemented. I could role my own solution but in the event that
3rd party vendors will use my web services, they will need to understand
my implementation details where as sdks are probably already available for
standard approaches.
.
- Follow-Ups:
- Re: Security design question
- From: Jeremy Chapman
- Re: Security design question
- References:
- Security design question
- From: Jeremy Chapman
- Security design question
- Prev by Date: Security design question
- Next by Date: strange Formsauthentication behavior
- Previous by thread: Security design question
- Next by thread: Re: Security design question
- Index(es):
Relevant Pages
|
