Re: Send custom IPrincipal object from client to WCF service - Pos
- From: Dominick Baier <dbaier@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Mon, 26 Nov 2007 17:03:32 +0000 (UTC)
not quite - because you do authentication first.
There could be a properly authenticated user A - which sends IPrincipal data for User B.
You see the issue?
-----
Dominick Baier (http://www.leastprivilege.com)
Developing More Secure Microsoft ASP.NET 2.0 Applications (http://www.microsoft.com/mspress/books/9989.asp)
Thanks guys for your response.
Yes, you cannot trust the client, however to recreate them on the
server side is the same security risk - you are getting a user/pass
from the client...
"James Crosswell" wrote:
Dominick Baier wrote:
Keep in mind that you shouldn't base any security decisions onThat's precisely the purpose of authentication though - to verify the
information originating from the client - the client is basically
untrusted.
client is who it says it is. Regardless of the strength of weakness
of the authentication mechanism you're using, you HAVE to make access
control decisions based on whoever you determine the client to be
during the authentication process.
Best Regards,
James Crosswell
Microforge.net LLC
http://www.microforge.net
.
- Prev by Date: Re: WebPermission.Demand() is failing with membership condition - Strong Name
- Next by Date: "Unknown Publisher" alert on XP with Microsoft Firewall
- Previous by thread: Re: WebPermission.Demand() is failing with membership condition - Strong Name
- Next by thread: "Unknown Publisher" alert on XP with Microsoft Firewall
- Index(es):
Relevant Pages
|
|
