Re: forms auth, authenticate against already encrypted password?



hi dominick.
i finally got something going which is slightly less-of-a-hack, i posted it in reply to steven's post.
i have a Custom UsernameTokenManager implementation from another project, but i wanted to steer clear of it just as an experiment to see if a reasonable solution could be done up just using Forms Auth. partly for portability reasons too, this app could run with or without WSE very easily and it would be nice to have a one-size fits all security set up that integrates with the rest of the web site.

thanks again for all your help.
tim

"Dominick Baier" <dbaier@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message news:51eb304848ea8c8fd95c50f3fa0@xxxxxxxxxxxxxxxxxxxxx
Hi,
yes, it is a hack, but a very useful one!
thanks for the suggestion, good idea to SSL, although my app is only
concerned with file transfer over http (MTOM / WSE) so the encryption
overhead with https would be a factor.

When you are already using WSE - why don't you simply implement your own UsernameTokenManager?

SSL is in fact not really a big overhead - at least not for bandwidth - you need more CPU cycle to do the encryption (in the worst case there are SSL accelerator cards out there).

The authorization element can control access to individual files, directory or the whole application. Have a look at the asp.net documentation.

If you want "single sign on" for different web services (== different client proxies) you have to somehow share the authentication cookie between the proxies.


-----
Dominick Baier (http://www.leastprivilege.com)

hi dominick,
yes, it is a hack, but a very useful one!
thanks for the suggestion, good idea to SSL, although my app is only
concerned with file transfer over http (MTOM / WSE) so the encryption
overhead with https would be a factor. you're right, i didn't need
session
state. i thought i needed it to preserve the auth cookie, but the two
are
unrelated.
i don't see how the <authorization> element could help? granted i
could configure separate web service locations with different access
rules, although in my tests it was not possible to login to one web
service (login.asmx) and access another (MTOM.asmx) with the same
ticket. do you think this should be possible? taking the winforms
client scenario, each web service is its own proxy object, and it has
no bearing on any other web service proxy objects. perhaps they could
share the same cookie containers, i didn't get around to trying that.

any suggestions are most welcome, thanks again for the reply tim

"Dominick Baier" <dbaier@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx> wrote
in message news:51eb304848c28c8fd80ffdd5050@xxxxxxxxxxxxxxxxxxxxx

No - you have to pass in the clear text - you should SSL anyways to
protect the webservice and the resulting cookie - so passing a clear
text password in your solution is not a big deal.

p.s. to anyone wondering about using web services with forms auth,
it has limited use and it's a bit of a workaround,

some would say a "hack" ;)

but for my app it is
invaluable and much simpler than a custom security solution. set
the
LoginUrl in web.config to the web service itself, add Login() and
Logout() web methods
Also don't forget to handle the timeout scenario.

that use FormsAuthentication, enable session
state on all the web methods,
Why do you need session state? this is not a requirement of
FormsAuth.

set a cookie container on the client
proxy object, and for each of the web methods, do a simple check
if(!User.Identity.IsAuthenticated) throw new
UnauthorisedAccessException(), etc.
I would recommend using an <authorization> element in web.config
rather than requiring code in each web method (which can be
forgotten)

-----
Dominick Baier (http://www.leastprivilege.com)
hi,
i'm using forms authentication with a web service, and i have the
web
service passing in the password already encrypted in MD5. can i use
any of
the built-in FormsAuthentication methods to authenticate with this
password?
it works fine if i pass in the plain text password.
e.g. FormsAuthentication.Authenticate("tim", "pass") works fine, but
the following code does not work, by design of course:
FormsAuthentication.Authenticate("tim",
"1A1DC91C907325C69271DDF0C944BC72")
i could always dig into the web.config file myself to access the
encrypted
password value but i try to avoid that approach where possible.
thanks
tim
p.s. to anyone wondering about using web services with forms auth,
it
has limited use and it's a bit of a workaround, but for my app it is
invaluable and much simpler than a custom security solution. set
the
LoginUrl in web.config to the web service itself, add Login() and
Logout() web methods that use FormsAuthentication, enable session
state on all the web methods, set a cookie container on the client
proxy object, and for each of the web methods, do a simple check
if(!User.Identity.IsAuthenticated) throw new
UnauthorisedAccessException(), etc.



.