Re: Security design question
- From: "Jeremy Chapman" <please@Idontlikespam>
- Date: Thu, 20 Apr 2006 08:27:45 -0700
If the client application uses forms authentication can that be delegated to
the web services which uses basic authentication? Where can I find some
information on how to implement delegation like this?
"Joe Kaplan (MVP - ADSI)" <joseph.e.kaplan@xxxxxxxxxxxxxxxxxxxxxxxx> wrote
in message news:%23JQdyx$YGHA.4164@xxxxxxxxxxxxxxxxxxxxxxx
The only thing that I'm aware of that is relatively standard across
toolkits is something transport level like HTTP Basic authentication.
This is also probably fine fine from a security perspective when combined
with SSL.
You then have to decide if you want to implement a trusted subsystem or a
delegated model. A trusted subsystem essentially uses fixed service
accounts from the web service client side to access the web services. If
the front of the web service client will take requests from many different
clients, it is responsible for providing any intermediary security to the
web service.
In a delegated model, you would essentially take the credentials of the
authenticated user and pass them through the web application tier to the
web service tier, which would then apply security rules directly to the
user.
Both approaches have their advantanges and disadvantages.
Joe K.
"Jeremy Chapman" <please@Idontlikespam> wrote in message
news:eSVvql$YGHA.4944@xxxxxxxxxxxxxxxxxxxxxxx
I am in search of some suggestions regarding how I should emplement
security in a system being developed.
System architecture:
A web application is exposed to the internet. Behind a firewall is a
series of web services. The web services communicate with a SQL server
2000 database through stored procedures. Users access the web
application over an SSL connection, and the web application accesses the
web services over an SSL connection. We limit access to the web
application through forms authentication.
My design dilemna:
There should be some authentication mechanism between the web application
and the web services. In the future we may develop other applications or
allow other vendors to use our web services. So my question is, are
there recommended ways to authenticate an application to a web service?
I'm not inclined to use WSE because I'm not aware of toolkits for much
beyond .net development and we want a relatively easy method of using the
web services with technologies other than .net.
I am searching for some sort of standard mechanism that can be relatively
easily implemented. I could role my own solution but in the event that
3rd party vendors will use my web services, they will need to understand
my implementation details where as sdks are probably already available
for standard approaches.
.
- Follow-Ups:
- Re: Security design question
- From: Joe Kaplan \(MVP - ADSI\)
- Re: Security design question
- References:
- Security design question
- From: Jeremy Chapman
- Re: Security design question
- From: Joe Kaplan \(MVP - ADSI\)
- Security design question
- Prev by Date: Re: How to redirect timeout page when session timeout?
- Next by Date: Forms authentication credentials fail
- Previous by thread: Re: Security design question
- Next by thread: Re: Security design question
- Index(es):
Relevant Pages
|
|
