Your needs may dictate otherwise, but much of all this can be had today with
WSE and using one of the security token types (UserName, SCT, Kerberos, etc)
and the local SAM or AD. This is about the 4th post I have seen today with
folks wanting to use SQL to store usernames/passwords. I am just curious if
people don't know they can leverage the windows account DB or if they think
that is an issue somehow? Anyway, if you go the WSE route, you can secure
all method calls by requiring a UserName token or a SecurityContext Token. A
SCT is more secure, but does require a server cert or you can use my method
below using just an RSA key pair generated for your app (i.e. the one you
strong-name-sign your assem with will work great.) WSE will automatically
validate the sent token against windows or you can override the validation
yourself using Win32 LogonUser api or custom DB. You could also set the
Thread.CurrentP rincipal to an authenticated Principal object and use the
CLR's Rules-Based security on your methods (declarative) or in the code
(imperative) for user/role checking.
Myself, I would just use SAM/AD as you can leverage all the tools already
built that staff already knows. Now you have a loosely coupled web service
that can be called locally or via the INET (if you so choose) that is
secured using the WS-* standards. And it is message based security, not
point-to-point security, so you can route messages with security intact and
save them, etc. Indigo will make all this even easier, but for now, WSE 2.0
is pretty sweet IMHO. They also have examples of caching SCT tokens in a DB
for web farm apps, so this sounds like a good fit for your needs.
Get SCT using RSA (no cert).
http://spaces.msn.com/members/staceyw/Blog/cns!1pnsZpX0fPv DxLKC6rAAhLsQ!3 03.entry
--
William Stacey, MVP
http://mvp.support.microsoft.com
"Nick" <nt********@onl ine.nospam> wrote in message
news:80******** *************** ***********@mic rosoft.com...
I am working on an application for a client that will involve using
remoting.
They do not want to use integrated security so I was going to store
usernames and hashed passwords in a SQL Database. I have a table in the
database that will also contain their session information which it will
encrypt and store as a class on the client end. Each time they connect to
the server I will pass the session class back and it will decrypt, then
validate it...similar to FormsAuthentica ion in ASP.net. The reason for
storing the session info in the DB is that the client may cluster the
remoted
component in the future and i would like to prepair for that. I will
have a
validation class that my remoted objects will tie into which will have a
ValidateUser method as well as a InRole method to check for permissions.
Being that the server(s) running the remoted components will be the only
items exposed and not the database the only way data can be accessed is
via
the remoted objects. My question is there a recommended way of using
remoting
with usernames and passwords stored in the SQL Database better than what I
am
doing or is my way pretty secure? I would love to hear any ideas that you
may have and am open to any suggestions that could make for a more secure
product.
Thanks in advance...