Re: WebService Windows Authentication ASP.NET 2.0
- From: "Henrik Skak Pedersen" <skak@xxxxxxxxxxxxxxxx>
- Date: Mon, 20 Mar 2006 17:20:02 +0100
Thank you both for your replies.
Henrik.
"Dominick Baier [DevelopMentor]" <dbaier@xxxxxxxxxxxxxxxxxxxxxxxxxxxxx>
wrote in message news:4580be631985f68c8186ec4935f20@xxxxxxxxxxxxxxxxxxxxx
Hi,
yeah - as i said - it that's granular enough -
i would prefer IsInRole over PrincipalPermission - this is much more
flexible and allows to also work with SIDs if this is necessary (maybe not
now - but at some point in the future - e.g. to be independent of locale
specific windows groups)
---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com
If you have multiple methods in the same asmx file, you can't really
use the location and authorization tags. That is unfortunate as they
are really clean, but so it goes.
My suggestion is that instead of using the
PrincipalPermissionAttribute, you can either create a
PrincipalPermission and call its demand method OR you can do
HttpContext.Current.User.IsInRole and use that in an if statement with
your error condition of choice. Both do about the same thing.
My original comment about hard coding was directed towards the
attribute, not the PrincipalPermission itself. The problem with the
attribute is that you have to supply the role or user name at compile
time, and that sucks if your principal names are not abstract to your
app but are actual Windows principal names. It makes it nearly
impossible to move your code between environments in that case.
Anyway, I hope this gives you a good idea.
Joe K.
"Henrik Skak Pedersen" <skak@xxxxxxxxxxxxxxxx> wrote in message
news:eQTTenhSGHA.4608@xxxxxxxxxxxxxxxxxxxxxxx
Thank you both for you replies. If I have to use Dominicks solution I
have to refactor my web service, but that is of course an option.
Are there any good examples available when web services are using
method based windows authentication?
Thanks
Henrik
I guess that I could refactor my web service
"Dominick Baier [DevelopMentor]"
<dbaier@xxxxxxxxxxxxxxxxxxxxxxxxxxxxx>
wrote in message
news:4580be631985cf8c8182f2260ea50@xxxxxxxxxxxxxxxxxxxxx
why not simply use a <authorization> element -
at least with
<deny users="?" />
and if it is granular enough to set the authorization on file basis
- use a location element for individual AuthZ settings for the .asmx
files.
---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com
It will be security as long as you configure IIS to only allow
authenticated users (via Basic, Digest and or IWA).
I'm not a big fan of using the PrincipalPermission as it generally
requires you to hard code stuff you should be putting in
configuration (user and group names). I like calling IsInRole
directly so that you can supply the values at runtime.
PrincipalPermission just calls IsInRole under the hood anyway.
But, you can use it if you want.
Joe K.
"Henrik Skak Pedersen" <skak@xxxxxxxxxxxxxxxx> wrote in message
news:egeJ75gSGHA.1728@xxxxxxxxxxxxxxxxxxxxxxx
Hi,
I have created a web service which I am calling from InfoPath, a
WinForms application and an ASP.NET Web Application.
I would now like to implement some security. The web service is
only being used inside a corporate network, so I can use
Windows-based security.
How secure is it if I use:
<authentication mode="Windows" />
in my web.config, and then put a PrincipalPermission on each
method?
Is this the right way of doing it?
Thanks
Henrik.
.
- References:
- Re: WebService Windows Authentication ASP.NET 2.0
- From: Joe Kaplan \(MVP - ADSI\)
- Re: WebService Windows Authentication ASP.NET 2.0
- From: Dominick Baier [DevelopMentor]
- Re: WebService Windows Authentication ASP.NET 2.0
- Prev by Date: Role based security flaw?
- Next by Date: Windows Security Roles
- Previous by thread: Re: WebService Windows Authentication ASP.NET 2.0
- Next by thread: Change passwords with the Security App Block
- Index(es):
Relevant Pages
|
