[lnkForumImage]
TotalShareware - Download Free Software
Confronta i prezzi di migliaia di prodotti.
Asp Forum
 Home | Login | Register | Search 


 

Forums >

microsoft.public.dotnet.framework.aspnet.webservices

Web Service Security

Harris Boyce III

1/9/2003 2:40:00 PM

I'm looking to expose a system within my business out on the web via Web
Services. I'm skeptical regarding the security aspects of this project.
For example, I don't want the public trying to consume the service because
they stumbled across its location. Therefore, I think some sort of
authentication/authorization is necessary to allow access to the system
itself. In ASP.NET, this is straight-forward: Forms Authentication or some
variation there-of. How would I go about implementing a similar security
scheme with Web Services? Is .Net Passport an option? The major caviat is
that it should be a interoperable as possible since I'd perfer not to
restrict the system to strictly .NET customers.

Thanks for any input,

Harris
2 Answers

Pierre Greborio

1/9/2003 3:01:00 PM

0

You have several solutions at your disposal. You can delegate the
authentication at the protocol level or use authentication embedded into the
SOAP message.
The former is well supported both by IIS and ASP.NET (you have two levels of
control), wheras the second one is more protocol independent.

Personally I prefer the second one since it more portable, then I suggest to
read about authentication scheme of WSE
(http://msdn.microsoft.com/downloads/default.asp?url=/downloads/sa...
rl=/msdn-files/027/002/108/msdncompositedoc.xml).

Pierre

--
-----------------------------------------------------------
Pierre Greborio
http://www.ugi...
-----------------------------------------------------------
"Harris Boyce" <hboyce@thedotworks.com> wrote in message
news:OXUuzT#tCHA.2620@TK2MSFTNGP11...
> I'm looking to expose a system within my business out on the web via Web
> Services. I'm skeptical regarding the security aspects of this project.
> For example, I don't want the public trying to consume the service because
> they stumbled across its location. Therefore, I think some sort of
> authentication/authorization is necessary to allow access to the system
> itself. In ASP.NET, this is straight-forward: Forms Authentication or
some
> variation there-of. How would I go about implementing a similar security
> scheme with Web Services? Is .Net Passport an option? The major caviat
is
> that it should be a interoperable as possible since I'd perfer not to
> restrict the system to strictly .NET customers.
>
> Thanks for any input,
>
> Harris
>
>

Harris Boyce III

1/9/2003 11:21:00 PM

0

What do you think of the security implementation in the MSDN Favorites
Sample application?

Thanks for your input.

H

"Pierre Greborio" <pierreg@kywix.com> wrote in message
news:OKKiAh#tCHA.2620@TK2MSFTNGP11...
> You have several solutions at your disposal. You can delegate the
> authentication at the protocol level or use authentication embedded into
the
> SOAP message.
> The former is well supported both by IIS and ASP.NET (you have two levels
of
> control), wheras the second one is more protocol independent.
>
> Personally I prefer the second one since it more portable, then I suggest
to
> read about authentication scheme of WSE
>
(http://msdn.microsoft.com/downloads/default.asp?url=/downloads/sa...
> rl=/msdn-files/027/002/108/msdncompositedoc.xml).
>
> Pierre
>
> --
> -----------------------------------------------------------
> Pierre Greborio
> http://www.ugi...
> -----------------------------------------------------------
> "Harris Boyce" <hboyce@thedotworks.com> wrote in message
> news:OXUuzT#tCHA.2620@TK2MSFTNGP11...
> > I'm looking to expose a system within my business out on the web via Web
> > Services. I'm skeptical regarding the security aspects of this project.
> > For example, I don't want the public trying to consume the service
because
> > they stumbled across its location. Therefore, I think some sort of
> > authentication/authorization is necessary to allow access to the system
> > itself. In ASP.NET, this is straight-forward: Forms Authentication or
> some
> > variation there-of. How would I go about implementing a similar
security
> > scheme with Web Services? Is .Net Passport an option? The major caviat
> is
> > that it should be a interoperable as possible since I'd perfer not to
> > restrict the system to strictly .NET customers.
> >
> > Thanks for any input,
> >
> > Harris
> >
> >
>
>