Re: Sharing/Forwarding website credentials programatically
From: Halcyon Woodward (kenbeaver_at_pacbell.net)
Date: 05/02/03
- Next message: David Wang [Msft]: "Re: Way to synchronize Basic Auth with IIS session?"
- Previous message: Andy: "Re: Security risks when running IIS without static ip as localhost"
- Next in thread: David Wang [Msft]: "Re: Sharing/Forwarding website credentials programatically"
- Reply: David Wang [Msft]: "Re: Sharing/Forwarding website credentials programatically"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 1 May 2003 15:55:45 -0700
David,
Thank you very much for your response, sorry that my post was unclear; I
actually re-wrote it entirely for a cross-post to the ASP.Net security
forum.
Dispite the ambiguity, you did get to the heart of our problem, however I'll
rephrase:
The solution we are implementing is a portal that exposes information from
other web applications (business services) which reside on separate physical
servers. The portal, and each web application, require the user to
authenticate via standard IIS6 methods; namely basic [clear text]
authentication over SSL against a standard Active Directory account. The
same AD account is used unilaterally across the portal and all applications.
Because IE 6 does not support automatic credential supplication for
clear-text authentication (otherwise placing the sites within the Trusted
Sites Zone would work) the user would have to repeatedly have to log on.
e.g. We have a link exposed through a custom webpart on the portal that
would take the user to a page served by one of the satellite web
applications - when clicking the link they would have to present their
credentials to the application server, even though they've already supplied
them to the portal. This is what we are trying to avoid.
Passport is not an option for us, unfortunately, so I'm going to concentrate
on the second scenario:
Since all links to content can be programmatically controlled, my question
was essentialy how to encode those links so that the credentials were passed
essentially in the request-headers or URI itself. My initial thoughts were
to accomplish this using a server-side redirect.
I've slashed together a quick example of this:
The User is authenticated and has cached credentials to ServerA but has not
authenticated to ServerB.
ServerA serves PageY with a pseudo-link to PageZ on ServerB.
PageY is the actual target of the the link, and a back-end snippet of code
intercepts the request. The code then builds a new URI to PageZ, placing
the user's credentials (obtained from server variables) in the URI itself
like so:
http://[username]:[password]@Server-B/Page-Z
A server-side redirect then sends the client to this URI.
PageZ accepts the request, and the credentials are authenticated for the new
server and cached on the client. PageZ examines the incomming URI and then
builds another URI, this one without the credentials, and performs another
redirect to the 'plain' URI.
The 'plain' URI is not intercepted and the content is delivered.
The user is completey unaware that anything has taken place other than a
standard link (hopefully) and because the transaction is over SSL, there's
no chance of exposing usernames and passwords to the outside world.
--------------------------------------------------------
The code works, but is certianally not the most elegant of solutions. I
guess what I was looking for from IIS 6 was a way of passing the credentials
without necessarally using the actual username/password combination, i.e. a
certificate that could be encoded into the URI or a header tag that the
client frog-hopped to the next server.
Wishful thinking?
hb.
- Next message: David Wang [Msft]: "Re: Way to synchronize Basic Auth with IIS session?"
- Previous message: Andy: "Re: Security risks when running IIS without static ip as localhost"
- Next in thread: David Wang [Msft]: "Re: Sharing/Forwarding website credentials programatically"
- Reply: David Wang [Msft]: "Re: Sharing/Forwarding website credentials programatically"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
