Re: forms auth, authenticate against already encrypted password?



hi dominick,
yes, it is a hack, but a very useful one!
thanks for the suggestion, good idea to SSL, although my app is only concerned with file transfer over http (MTOM / WSE) so the encryption overhead with https would be a factor. you're right, i didn't need session state. i thought i needed it to preserve the auth cookie, but the two are unrelated.

i don't see how the <authorization> element could help? granted i could configure separate web service locations with different access rules, although in my tests it was not possible to login to one web service (login.asmx) and access another (MTOM.asmx) with the same ticket. do you think this should be possible? taking the winforms client scenario, each web service is its own proxy object, and it has no bearing on any other web service proxy objects. perhaps they could share the same cookie containers, i didn't get around to trying that.

any suggestions are most welcome, thanks again for the reply
tim

"Dominick Baier" <dbaier@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message news:51eb304848c28c8fd80ffdd5050@xxxxxxxxxxxxxxxxxxxxx
No - you have to pass in the clear text - you should SSL anyways to protect the webservice and the resulting cookie - so passing a clear text password in your solution is not a big deal.

p.s. to anyone wondering about using web services with forms auth, it
has limited use and it's a bit of a workaround,

some would say a "hack" ;)

but for my app it is
invaluable and much simpler than a custom security solution. set the
LoginUrl in web.config to the web service itself, add Login() and
Logout() web methods

Also don't forget to handle the timeout scenario.

that use FormsAuthentication, enable session
state on all the web methods,

Why do you need session state? this is not a requirement of FormsAuth.

set a cookie container on the client
proxy object, and for each of the web methods, do a simple check
if(!User.Identity.IsAuthenticated) throw new
UnauthorisedAccessException(), etc.

I would recommend using an <authorization> element in web.config rather than requiring code in each web method (which can be forgotten)

-----
Dominick Baier (http://www.leastprivilege.com)

hi,
i'm using forms authentication with a web service, and i have the web
service passing in the password already encrypted in MD5. can i use
any of
the built-in FormsAuthentication methods to authenticate with this
password?
it works fine if i pass in the plain text password.
e.g. FormsAuthentication.Authenticate("tim", "pass") works fine, but
the following code does not work, by design of course:
FormsAuthentication.Authenticate("tim",
"1A1DC91C907325C69271DDF0C944BC72")

i could always dig into the web.config file myself to access the
encrypted
password value but i try to avoid that approach where possible.
thanks
tim
p.s. to anyone wondering about using web services with forms auth, it
has limited use and it's a bit of a workaround, but for my app it is
invaluable and much simpler than a custom security solution. set the
LoginUrl in web.config to the web service itself, add Login() and
Logout() web methods that use FormsAuthentication, enable session
state on all the web methods, set a cookie container on the client
proxy object, and for each of the web methods, do a simple check
if(!User.Identity.IsAuthenticated) throw new
UnauthorisedAccessException(), etc.




.



Relevant Pages

  • Re: forms auth, authenticate against already encrypted password?
    ... SSL is in fact not really a big overhead - at least not for bandwidth - you need more CPU cycle to do the encryption. ... If you want "single sign on" for different web services you have to somehow share the authentication cookie between the proxies. ... client scenario, each web service is its own proxy object, and it has ... Logoutweb methods ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: forms auth, authenticate against already encrypted password?
    ... concerned with file transfer over http so the encryption ... SSL is in fact not really a big overhead - at least not for bandwidth - you need more CPU cycle to do the encryption. ... client scenario, each web service is its own proxy object, and it has ... Logoutweb methods ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Help. This doesnt work in CF but works in WinForms
    ... kind of objects and a couple of web methods that receive and send objects to ... I try with a Windows Forms application and everything works ... I have a method in the client that gets an object from the web service (the ... each of the objects stored in the strong type collection. ...
    (microsoft.public.dotnet.framework.compactframework)
  • RE: Webservice, hashtable?
    ... Returning business entity objects from web methods might be a ... Note that when you return such custom classes, from web methods, they would ... > I am trying to write a web service. ... > The companies who call our webservice can "subscribe" to a subset of this ...
    (microsoft.public.dotnet.languages.csharp)
  • Re: when to use Proxy object for web services
    ... I added a web reference to this web service ... p> of the web service and then call the method using this proxy object. ... p> exclusively by using WSDL utility. ...
    (microsoft.public.dotnet.framework.webservices)