Re: code access security across the network



There are also plenty of reliable authentication mechanisms that do work
with web services, such as all of the various HTTP auth protocols (basic,
digest, integrated, client certificates, etc.) and message level protocols
like WS-Security as implemented in WSE and WCF.

You can certainly provide a reliable authorization framework using one of
these to authorize your callers. You certainly want to validate all inputs
carefully, as you should do with any public API.

Joe K.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
"Nicole Calinoiu" <calinoiu REMOVETHIS AT gmail DOT com> wrote in message
news:ea4ewIQpGHA.756@xxxxxxxxxxxxxxxxxxxxxxx
There is no reliable way to identify calling code over a network. The
only interaction with the calling code is data sent over the wire, and any
data used to identify the caller can be spoofed by a malicious caller.
Since attempting to verify calling code identity is essentially a waste of
time, your efforts would be better placed on ensuring that your web
service functions correctly even when invoked by an "unexpected" caller.
For most applications, this would involve not trusting self-declared
client user identity and re-validating all data on the server side.


<ajfish@xxxxxxxxxxxxxxxx> wrote in message
news:1152632395.879802.205480@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Hi,

I have a client/server application where the server uses asp.net web
services.

is there any way I can use code signing, strong names or whaterver to
verify the identity of the client code across the web service call?

TIA

Andy





.



Relevant Pages

  • Re: malloc()/realloc() - have I got this right?
    ... For some reason that is beound me you elected to ignore CBF's next ... The debate was whether the caller or the callee should disambiguate ... this to be done by the calling code. ... The client has to ...
    (comp.lang.c)
  • Re: code access security across the network
    ... There is no reliable way to identify calling code over a network. ... used to identify the caller can be spoofed by a malicious caller. ... your efforts would be better placed on ensuring that your web service ... this would involve not trusting self-declared client user ...
    (microsoft.public.dotnet.security)
  • Re: How to return a user-defined data type object from a webservice?
    ... your client ... object coming from the server via the web service is in a different ... John Saunders | MVP - Windows Server System - Connected System Developer ... It's just not how Web Services works. ...
    (microsoft.public.dotnet.framework.webservices)
  • Re: Access 2010 with Sharepoint 2010
    ... I upload data with linefeeds in it to a client website all the time. ... but all of the web services and soap protocol's MOSTLY use xml. ... access application on their two computers, but I am hosting the data on SQL ...
    (comp.databases.ms-access)
  • RE: Webservices, Interfaces and Polymorphism in proxy classes.
    ... I solved the type sharing between the web services tier and the client app by ... the only interface you REALLY have is the WSDL contract ... from the client to the server. ...
    (microsoft.public.dotnet.framework.aspnet.webservices)