Re: code access security across the network
- From: "Joe Kaplan \(MVP - ADSI\)" <joseph.e.kaplan@xxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Wed, 12 Jul 2006 00:00:42 -0500
There are also plenty of reliable authentication mechanisms that do work
with web services, such as all of the various HTTP auth protocols (basic,
digest, integrated, client certificates, etc.) and message level protocols
like WS-Security as implemented in WSE and WCF.
You can certainly provide a reliable authorization framework using one of
these to authorize your callers. You certainly want to validate all inputs
carefully, as you should do with any public API.
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
"Nicole Calinoiu" <calinoiu REMOVETHIS AT gmail DOT com> wrote in message
There is no reliable way to identify calling code over a network. The
only interaction with the calling code is data sent over the wire, and any
data used to identify the caller can be spoofed by a malicious caller.
Since attempting to verify calling code identity is essentially a waste of
time, your efforts would be better placed on ensuring that your web
service functions correctly even when invoked by an "unexpected" caller.
For most applications, this would involve not trusting self-declared
client user identity and re-validating all data on the server side.
<ajfish@xxxxxxxxxxxxxxxx> wrote in message
I have a client/server application where the server uses asp.net web
is there any way I can use code signing, strong names or whaterver to
verify the identity of the client code across the web service call?
- Prev by Date: Re: Web App Impersonation
- Next by Date: Re: WindowsIdentity.GetCurrent().Token cannot be used when remoting?
- Previous by thread: Re: code access security across the network
- Next by thread: RSA Encryption: Saving keys as files, and size of encrypted data