Folks -
We are running around and around here on a project we're developing, and I'm
getting to the point that I don't know what I do and don't know. So I need
some assistance.
We are developing a web service that connects to an external LDAP server to
validate a username/password that the user enters from a login page. Right
now, we're concerned about interaction with an ASP.NET website, but this web
service will also be used by some ColdFusion (and possibly other non-MS)
clients as well. I should point out now that we're running on Windows 2000
(SP4) and Windows XP Pro (SP2) workstations to test (with local IIS
installed), and this will probably be initially deployed to a W2K server,
but eventually this should end up on a W2K3 server. We're also on .NET 1.1
and VS2K3.
Because of the way our LDAP server is configured, we are able to connect and
retrieve information when the web service is running under anonymous access
(and the standard IUSR account) on IIS. However, because of the way we were
thinking the service was going to be used, we included some public-key RSA
encryption of the password in our service, and a method for the client to
retrieve the key from the web service. This is where everything went to
pot...
No matter how hard we try, we cannot get the RSA encryption (set up to use a
MachineKey store) to run under anonymous access. We have been setting
rights for IUSR to all the folders we can think of, and nothing works. We
tried creating a local-machine account, granting that the appropriate
rights, and changing the anonymous-access User ID to that account - nothing.
Eventually, I found that it appears that without appropriate credentials for
the web service, user rights don't make a difference. Since anonymous
access doesn't appear to pass credentials, the rights of the service account
user don't seem to matter.
Then, I read an MSDN article about security for ASP.NET web services, and it
said that if we expect our web service to be used by non-MS toolkits (which
we do), the best method for security is SSL and Basic Authentication on IIS.
I've never used Basic authentication, and I'm not a huge fan of it, but it
does seem to work. It also forces us to pass credentials every time we call
anything in the web service - even opening the project in VS.
One of my developers is swearing that the RSA encryption won't work over
SSL, though I don't understand why. Either way, using SSL kinda makes the
RSA encryption moot anyway (right?), though I don't think it will hurt.
Bottom line: what is the "best" way to set up this web service? We don't
have to use SSL, and I'm pretty sure that ColdFusion supports SOAP and web
services well enough that they should have little problem working with the
web service, no matter how we set it up. We don't want to make the users
pass credentials, but it's not the end of the world if that's how it has to
be. More importantly, we don't want to have to manage a bunch of
local-machine accounts just for this, and creating a single local-machine
account and giving that username/password to the world doesn't seem very
secure. If we could get this to work under anonymous access, however, then
the specific account makes much more sense...
We are not using WSE, and I don't know whether we can or not. Either way,
we may not have time - we've got to get this worked out ASAP. Any help
would be appreciated.
TIA
- Scott 1 1439 Then, I read an MSDN article about security for ASP.NET web services, and
it said that if we expect our web service to be used by non-MS toolkits
(which we do), the best method for security is SSL and Basic Authentication on
IIS.
If there are N users, Basic Auth will need you to create N windows a/c on
your server. Obviously this gets cumbersome when N increases.
IMO, the best way is to use custom SOAP header auth.
Mujtaba. This thread has been closed and replies have been disabled. Please start a new discussion. Similar topics |
by: Bruno Desthuilliers |
last post by:
Hi everyone !
Could someone point me to infos about securing python for use as CGI or
mod_python for a shared hosting environnement ?
I searched google, but did not find anything specific :(
I'm not an admin myself, but I try to convince my hosting admins to
install Python. For now, their answser is that they don't know how to
secure this, and have not time to learn how to do it. (NB : this is a
|
by: RamseytheScot |
last post by:
At the moment we have a httphandler. This handler connects to services
and redirect messages to this service. To use this service you have to
log on using a Username and Password. This Username and password are
saved in the WMI. This by it self is a not very secure thing. Any
idear of saving these username and passwords in a more secure fasion,
without hard coding them.
We are running IIS 5 on Win2000 maybe even Win2003 when we go into...
|
by: James |
last post by:
What's the best way of securing online databases and web services? At present I am using a database password, which of course is not hard-coded into the web service, but this means re-submitting it with every function call from my windows client. Any alternatives?
|
by: Wm. Scott Miller |
last post by:
Hello all!
We are building applications here and have hashing algorithms to secure
secrets (e.g passwords) by producing one way hashes. Now, I've read alot
and I've followed most of the advice that made sense. One comment I've seen
alot about is "securing the hashing routine" but no-one explains how to
accomplish this. So how do I secure my hashing routine? Do I use code
access security, role based security, ACLs, etc or combination?...
|
by: The Fox |
last post by:
How to prevent user to add web reference to my web services?
Can I add password to web services so that only the users
who know the password can add a web reference?
Thanks in advance.
| |
by: David Tandberg-Johansen |
last post by:
Hi!
First of all, I am kind of a newbie.
I am planning an project where I gonna use an web service and a
desktop-client, but I have stumbled over a problem. The IIS server that
i am planning to use in my project serves the company website. The
website runs on default port 80 and can be accessed by anyone, but I
don't want the service to be public.
|
by: KJ |
last post by:
Hello All,
I have to secure my first real B2B web service. Could you please
provide some guidance as to which method of security I should use. One
caveat is that we will not be using SSL on the server side as per the
networking department. Windows authentication is also probably not an
option, as this web service will be interacting between two separately
located companies. I have read a little bit about passing credentials
in SOAP...
|
by: The Big Fat Sloppy Pig! |
last post by:
x-no-archive: yes
Hi All:
I'm sort of "new" to doing this so I was wondering if anyone can offer some
additional insight/suggestions.
I've created a web-service that will be receiving some customer-critical
information. I've written both the client application and the web-service.
We need to make sure the data is "non-translatable" as much as possible.
|
by: =?Utf-8?B?aGlsZXlq?= |
last post by:
Hi,
I'm developing a web service that needs to communicate with a custom
application on an intranet. There is also a configuration utility which may
be run on a different server machine for setting up and altering parameters
on the service. This configuration web application may be browsed to via
intranet or internet.
This is the first work I've done with web services, so sorry for any
incorrect terminology or nonsense statements.
|
by: marktang |
last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However, people are often confused as to whether an ONU can Work As a Router. In this blog post, we’ll explore What is ONU, What Is Router, ONU & Router’s main usage, and What is the difference between ONU and Router. Let’s take a closer look !
Part I. Meaning of...
|
by: jinu1996 |
last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven tapestry of website design and digital marketing. It's not merely about having a website; it's about crafting an immersive digital experience that captivates audiences and drives business growth.
The Art of Business Website Design
Your website is...
| |
by: Hystou |
last post by:
Overview:
Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows Update option using the Control Panel or Settings app; it automatically checks for updates and installs any it finds, whether you like it or not. For most users, this new feature is actually very convenient. If you want to control the update process,...
|
by: agi2029 |
last post by:
Let's talk about the concept of autonomous AI software engineers and no-code agents. These AIs are designed to manage the entire lifecycle of a software development project—planning, coding, testing, and deployment—without human intervention. Imagine an AI that can take a project description, break it down, write the code, debug it, and then launch it, all on its own....
Now, this would greatly impact the work of software developers. The idea...
|
by: isladogs |
last post by:
The next Access Europe User Group meeting will be on Wednesday 1 May 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM).
In this session, we are pleased to welcome a new presenter, Adolph Dupré who will be discussing some powerful techniques for using class modules.
He will explain when you may want to use classes instead of User Defined Types (UDT). For example, to manage the data in unbound forms.
Adolph will...
|
by: conductexam |
last post by:
I have .net C# application in which I am extracting data from word file and save it in database particularly. To store word all data as it is I am converting the whole word file firstly in HTML and then checking html paragraph one by one.
At the time of converting from word file to html my equations which are in the word document file was convert into image.
Globals.ThisAddIn.Application.ActiveDocument.Select();...
|
by: TSSRALBI |
last post by:
Hello
I'm a network technician in training and I need your help.
I am currently learning how to create and manage the different types of VPNs and I have a question about LAN-to-LAN VPNs.
The last exercise I practiced was to create a LAN-to-LAN VPN between two Pfsense firewalls, by using IPSEC protocols.
I succeeded, with both firewalls in the same network. But I'm wondering if it's possible to do the same thing, with 2 Pfsense firewalls...
|
by: adsilva |
last post by:
A Windows Forms form does not have the event Unload, like VB6. What one acts like?
| |
by: 6302768590 |
last post by:
Hai team
i want code for transfer the data from one system to another through IP address by using C# our system has to for every 5mins then we have to update the data what the data is updated we have to send another system
| |