Re: forms auth, authenticate against already encrypted password?

Hi,

yes, it is a hack, but a very useful one!
thanks for the suggestion, good idea to SSL, although my app is only
concerned with file transfer over http (MTOM / WSE) so the encryption
overhead with https would be a factor.

When you are already using WSE - why don't you simply implement your own UsernameTokenManager?

SSL is in fact not really a big overhead - at least not for bandwidth - you need more CPU cycle to do the encryption (in the worst case there are SSL accelerator cards out there).

The authorization element can control access to individual files, directory or the whole application. Have a look at the asp.net documentation.

If you want "single sign on" for different web services (== different client proxies) you have to somehow share the authentication cookie between the proxies.


-----
Dominick Baier (http://www.leastprivilege.com)

hi dominick,
yes, it is a hack, but a very useful one!
thanks for the suggestion, good idea to SSL, although my app is only
concerned with file transfer over http (MTOM / WSE) so the encryption
overhead with https would be a factor. you're right, i didn't need
session
state. i thought i needed it to preserve the auth cookie, but the two
are
unrelated.
i don't see how the <authorization> element could help? granted i
could configure separate web service locations with different access
rules, although in my tests it was not possible to login to one web
service (login.asmx) and access another (MTOM.asmx) with the same
ticket. do you think this should be possible? taking the winforms
client scenario, each web service is its own proxy object, and it has
no bearing on any other web service proxy objects. perhaps they could
share the same cookie containers, i didn't get around to trying that.

any suggestions are most welcome, thanks again for the reply tim

"Dominick Baier" <dbaier@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx> wrote
in message news:51eb304848c28c8fd80ffdd5050@xxxxxxxxxxxxxxxxxxxxx

No - you have to pass in the clear text - you should SSL anyways to
protect the webservice and the resulting cookie - so passing a clear
text password in your solution is not a big deal.

p.s. to anyone wondering about using web services with forms auth,
it has limited use and it's a bit of a workaround,

some would say a "hack" ;)

but for my app it is
invaluable and much simpler than a custom security solution. set
the
LoginUrl in web.config to the web service itself, add Login() and
Logout() web methods
Also don't forget to handle the timeout scenario.

that use FormsAuthentication, enable session
state on all the web methods,
Why do you need session state? this is not a requirement of
FormsAuth.

set a cookie container on the client
proxy object, and for each of the web methods, do a simple check
if(!User.Identity.IsAuthenticated) throw new
UnauthorisedAccessException(), etc.
I would recommend using an <authorization> element in web.config
rather than requiring code in each web method (which can be
forgotten)

-----
Dominick Baier (http://www.leastprivilege.com)
hi,
i'm using forms authentication with a web service, and i have the
web
service passing in the password already encrypted in MD5. can i use
any of
the built-in FormsAuthentication methods to authenticate with this
password?
it works fine if i pass in the plain text password.
e.g. FormsAuthentication.Authenticate("tim", "pass") works fine, but
the following code does not work, by design of course:
FormsAuthentication.Authenticate("tim",
"1A1DC91C907325C69271DDF0C944BC72")
i could always dig into the web.config file myself to access the
encrypted
password value but i try to avoid that approach where possible.
thanks
tim
p.s. to anyone wondering about using web services with forms auth,
it
has limited use and it's a bit of a workaround, but for my app it is
invaluable and much simpler than a custom security solution. set
the
LoginUrl in web.config to the web service itself, add Login() and
Logout() web methods that use FormsAuthentication, enable session
state on all the web methods, set a cookie container on the client
proxy object, and for each of the web methods, do a simple check
if(!User.Identity.IsAuthenticated) throw new
UnauthorisedAccessException(), etc.


.

Relevant Pages

  • Re: forms auth, authenticate against already encrypted password?
    ... SSL is in fact not really a big overhead - at least not for bandwidth - you need more CPU cycle to do the encryption. ... If you want "single sign on" for different web services you have to somehow share the authentication cookie between the proxies. ... client scenario, each web service is its own proxy object, and it has ... Logoutweb methods ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: Consume web service using HTTP
    ... If you're calling the webservice through webpage's clientside script code, using the XML HTTP component as you mentioned should be ok. ... \par Subject: Re: Consume web service using HTTP ... \par set objXMLSend = Server.CreateObject ...
    (microsoft.public.dotnet.framework.webservices)
  • error message while decrypting message: "bad data"
    ... encrypted message that also contains some attachments to a web service. ... When wse wants to sign the sender message, the sender is prompted to enter ... is it right that this message means, the key for encryption and ...
    (microsoft.public.dotnet.framework.webservices.enhancements)
  • Re: send soap message
    ... i was reading that in framework 1.1 the http get and http put ... if i run a web service and click on one of the functions available, ... > You didn't mention what framework you need to send the message with. ... > you using .Net or the Soap toolkit. ...
    (microsoft.public.dotnet.xml)
  • Re: UserNameToken with SendNone on Password
    ... I want to do is upgrade to WSE 2.0 to fix all of the bloody bugs with WSE ... WSE 2.0 took out the shared secret encryption for some ... that it's a web service so it's using soap stuff under neath. ...
    (microsoft.public.dotnet.framework.webservices.enhancements)