473,246 Members | 1,552 Online
Bytes | Software Development & Data Engineering Community
Post Job

Home Posts Topics Members FAQ

Join Bytes to post your question to a community of 473,246 software developers and data experts.

Security Implementation

I am working on an application for a client that will involve using remoting.
They do not want to use integrated security so I was going to store
usernames and hashed passwords in a SQL Database. I have a table in the
database that will also contain their session information which it will
encrypt and store as a class on the client end. Each time they connect to
the server I will pass the session class back and it will decrypt, then
validate it...similar to FormsAuthenticaion in ASP.net. The reason for
storing the session info in the DB is that the client may cluster the remoted
component in the future and i would like to prepair for that. I will have a
validation class that my remoted objects will tie into which will have a
ValidateUser method as well as a InRole method to check for permissions.
Being that the server(s) running the remoted components will be the only
items exposed and not the database the only way data can be accessed is via
the remoted objects. My question is there a recommended way of using remoting
with usernames and passwords stored in the SQL Database better than what I am
doing or is my way pretty secure? I would love to hear any ideas that you
may have and am open to any suggestions that could make for a more secure
product.

Thanks in advance...
Jul 21 '05 #1
5 1991
Your needs may dictate otherwise, but much of all this can be had today with
WSE and using one of the security token types (UserName, SCT, Kerberos, etc)
and the local SAM or AD. This is about the 4th post I have seen today with
folks wanting to use SQL to store usernames/passwords. I am just curious if
people don't know they can leverage the windows account DB or if they think
that is an issue somehow? Anyway, if you go the WSE route, you can secure
all method calls by requiring a UserName token or a SecurityContextToken. A
SCT is more secure, but does require a server cert or you can use my method
below using just an RSA key pair generated for your app (i.e. the one you
strong-name-sign your assem with will work great.) WSE will automatically
validate the sent token against windows or you can override the validation
yourself using Win32 LogonUser api or custom DB. You could also set the
Thread.CurrentPrincipal to an authenticated Principal object and use the
CLR's Rules-Based security on your methods (declarative) or in the code
(imperative) for user/role checking.

Myself, I would just use SAM/AD as you can leverage all the tools already
built that staff already knows. Now you have a loosely coupled web service
that can be called locally or via the INET (if you so choose) that is
secured using the WS-* standards. And it is message based security, not
point-to-point security, so you can route messages with security intact and
save them, etc. Indigo will make all this even easier, but for now, WSE 2.0
is pretty sweet IMHO. They also have examples of caching SCT tokens in a DB
for web farm apps, so this sounds like a good fit for your needs.

Get SCT using RSA (no cert).
http://spaces.msn.com/members/staceyw/Blog/cns!1pnsZpX0fPvDxLKC6rAAhLsQ!303.entry

--
William Stacey, MVP
http://mvp.support.microsoft.com

"Nick" <nt********@online.nospam> wrote in message
news:80**********************************@microsof t.com...
I am working on an application for a client that will involve using
remoting.
They do not want to use integrated security so I was going to store
usernames and hashed passwords in a SQL Database. I have a table in the
database that will also contain their session information which it will
encrypt and store as a class on the client end. Each time they connect to
the server I will pass the session class back and it will decrypt, then
validate it...similar to FormsAuthenticaion in ASP.net. The reason for
storing the session info in the DB is that the client may cluster the
remoted
component in the future and i would like to prepair for that. I will
have a
validation class that my remoted objects will tie into which will have a
ValidateUser method as well as a InRole method to check for permissions.
Being that the server(s) running the remoted components will be the only
items exposed and not the database the only way data can be accessed is
via
the remoted objects. My question is there a recommended way of using
remoting
with usernames and passwords stored in the SQL Database better than what I
am
doing or is my way pretty secure? I would love to hear any ideas that you
may have and am open to any suggestions that could make for a more secure
product.

Thanks in advance...


Jul 21 '05 #2
Thanks a lot for William's informative inputs.

Hi Nick,

As William has mentioned, if you're interested in the webservcie/SOAP
approach, the Microsoft's WebService Enhancement WSE has provide the
implementation of the latest WS-Security specification defined by
IBM,Microsoft.

Also, you mentioned in the first message that your application is using a
remoting object at serverside as a facade to retrieve datas from database
and expose to client apps. If so, I think we may need to implement our own
custom
security channels to secure our datas because the current version of .NET
REmoting (.net framework 1.x) is a very basic implementation which just
provide the rich functionality for remote appdomain to communicate with
eachother. There hasn't been any buildin security mechanism in .net
remoting.

As far as I knew, there has been may tech articles in MSDN discussing on
providing a plugable security channel for .net remoting communication
through the custom ChannelSink in .net remoting. Something like a
simplified version of SSL, we can register a ChannelSink in our remoting
client and server's ChannelSinks. This sink will use asymmetric encyption
to do the negotiate which confirm the symmetric encryption session key on
both side of the remoting connection. After that, all the data transfering
between client and server and encypted through the symmetric encryption.
Not sure whether you've already read the following articles, I think
that'll be helpful:

#.NET Remoting Authentication and Authorization Sample ¨C Part II
http://msdn.microsoft.com/library/en...asp?frame=true

#Secure Your .NET Remoting Traffic by Writing an Asymmetric Encryption
Channel Sink
http://msdn.microsoft.com/msdnmag/is....asp?frame=tru
e

Hope also helps. Thanks,

Steven Cheng
Microsoft Online Support

Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)




Jul 21 '05 #3
Do you know of any articles and / resources that talk about how to implement
the CustomTokens as well as using custom principals to work with the
passwords stored in SQL.

"William Stacey [MVP]" wrote:
Your needs may dictate otherwise, but much of all this can be had today with
WSE and using one of the security token types (UserName, SCT, Kerberos, etc)
and the local SAM or AD. This is about the 4th post I have seen today with
folks wanting to use SQL to store usernames/passwords. I am just curious if
people don't know they can leverage the windows account DB or if they think
that is an issue somehow? Anyway, if you go the WSE route, you can secure
all method calls by requiring a UserName token or a SecurityContextToken. A
SCT is more secure, but does require a server cert or you can use my method
below using just an RSA key pair generated for your app (i.e. the one you
strong-name-sign your assem with will work great.) WSE will automatically
validate the sent token against windows or you can override the validation
yourself using Win32 LogonUser api or custom DB. You could also set the
Thread.CurrentPrincipal to an authenticated Principal object and use the
CLR's Rules-Based security on your methods (declarative) or in the code
(imperative) for user/role checking.

Myself, I would just use SAM/AD as you can leverage all the tools already
built that staff already knows. Now you have a loosely coupled web service
that can be called locally or via the INET (if you so choose) that is
secured using the WS-* standards. And it is message based security, not
point-to-point security, so you can route messages with security intact and
save them, etc. Indigo will make all this even easier, but for now, WSE 2.0
is pretty sweet IMHO. They also have examples of caching SCT tokens in a DB
for web farm apps, so this sounds like a good fit for your needs.

Get SCT using RSA (no cert).
http://spaces.msn.com/members/staceyw/Blog/cns!1pnsZpX0fPvDxLKC6rAAhLsQ!303.entry

--
William Stacey, MVP
http://mvp.support.microsoft.com

"Nick" <nt********@online.nospam> wrote in message
news:80**********************************@microsof t.com...
I am working on an application for a client that will involve using
remoting.
They do not want to use integrated security so I was going to store
usernames and hashed passwords in a SQL Database. I have a table in the
database that will also contain their session information which it will
encrypt and store as a class on the client end. Each time they connect to
the server I will pass the session class back and it will decrypt, then
validate it...similar to FormsAuthenticaion in ASP.net. The reason for
storing the session info in the DB is that the client may cluster the
remoted
component in the future and i would like to prepair for that. I will
have a
validation class that my remoted objects will tie into which will have a
ValidateUser method as well as a InRole method to check for permissions.
Being that the server(s) running the remoted components will be the only
items exposed and not the database the only way data can be accessed is
via
the remoted objects. My question is there a recommended way of using
remoting
with usernames and passwords stored in the SQL Database better than what I
am
doing or is my way pretty secure? I would love to hear any ideas that you
may have and am open to any suggestions that could make for a more secure
product.

Thanks in advance...


Jul 21 '05 #4
When you install the WSE 2.0
http://msdn.microsoft.com/webservices/building/wse/ they have many examples
in the docs and in the samples dir. *framework.webservices.enhancements ng
would be another place to go. If that does not help, I may have a simple
example somewhere I could post. Ask on the wse ng and I could post there,
but someone will probably post first. Cheers.

--
William Stacey, MVP
http://mvp.support.microsoft.com

"Nick" <nt********@online.nospam> wrote in message
news:5F**********************************@microsof t.com...
Do you know of any articles and / resources that talk about how to
implement
the CustomTokens as well as using custom principals to work with the
passwords stored in SQL.

"William Stacey [MVP]" wrote:
Your needs may dictate otherwise, but much of all this can be had today
with
WSE and using one of the security token types (UserName, SCT, Kerberos,
etc)
and the local SAM or AD. This is about the 4th post I have seen today
with
folks wanting to use SQL to store usernames/passwords. I am just curious
if
people don't know they can leverage the windows account DB or if they
think
that is an issue somehow? Anyway, if you go the WSE route, you can
secure
all method calls by requiring a UserName token or a SecurityContextToken.
A
SCT is more secure, but does require a server cert or you can use my
method
below using just an RSA key pair generated for your app (i.e. the one you
strong-name-sign your assem with will work great.) WSE will
automatically
validate the sent token against windows or you can override the
validation
yourself using Win32 LogonUser api or custom DB. You could also set the
Thread.CurrentPrincipal to an authenticated Principal object and use the
CLR's Rules-Based security on your methods (declarative) or in the code
(imperative) for user/role checking.

Myself, I would just use SAM/AD as you can leverage all the tools already
built that staff already knows. Now you have a loosely coupled web
service
that can be called locally or via the INET (if you so choose) that is
secured using the WS-* standards. And it is message based security, not
point-to-point security, so you can route messages with security intact
and
save them, etc. Indigo will make all this even easier, but for now, WSE
2.0
is pretty sweet IMHO. They also have examples of caching SCT tokens in a
DB
for web farm apps, so this sounds like a good fit for your needs.

Get SCT using RSA (no cert).
http://spaces.msn.com/members/staceyw/Blog/cns!1pnsZpX0fPvDxLKC6rAAhLsQ!303.entry

--
William Stacey, MVP
http://mvp.support.microsoft.com

"Nick" <nt********@online.nospam> wrote in message
news:80**********************************@microsof t.com...
>I am working on an application for a client that will involve using
>remoting.
> They do not want to use integrated security so I was going to store
> usernames and hashed passwords in a SQL Database. I have a table in
> the
> database that will also contain their session information which it will
> encrypt and store as a class on the client end. Each time they connect
> to
> the server I will pass the session class back and it will decrypt, then
> validate it...similar to FormsAuthenticaion in ASP.net. The reason for
> storing the session info in the DB is that the client may cluster the
> remoted
> component in the future and i would like to prepair for that. I will
> have a
> validation class that my remoted objects will tie into which will have
> a
> ValidateUser method as well as a InRole method to check for
> permissions.
> Being that the server(s) running the remoted components will be the
> only
> items exposed and not the database the only way data can be accessed is
> via
> the remoted objects. My question is there a recommended way of using
> remoting
> with usernames and passwords stored in the SQL Database better than
> what I
> am
> doing or is my way pretty secure? I would love to hear any ideas that
> you
> may have and am open to any suggestions that could make for a more
> secure
> product.
>
> Thanks in advance...



Jul 21 '05 #5
Hi Nick,

Have you got any further ideas on this or have you also had a chance to
have a look at my former reply. Anway, please feel free to post here if
there're anything else we can assist.

Thanks,

Regards,

Steven Cheng
Microsoft Online Support

Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)

Jul 21 '05 #6

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

4
by: oliver.wulff | last post by:
I'm wondering if it is possible in .NET to plug-in a custom authentication & authorization mechanism. So, that IIS applications and Webservice would be authenticated against this custom...
12
by: Angelos Karantzalis | last post by:
Is there a way to set Permissions based on user roles by using some configuration file for my application ? I'm coming from a Java background, where that could very easily be accomplished but...
116
by: Mike MacSween | last post by:
S**t for brains strikes again! Why did I do that? When I met the clients and at some point they vaguely asked whether eventually would it be possible to have some people who could read the data...
2
by: Robert A. van Ginkel | last post by:
I have a strange C# problem. Is the following a bug? Because it should be possible to run unsafe code. How can I accomplish this? And where can I read more about this, because documentation on this...
5
by: Ersin Gençtürk | last post by:
onk= -> why this string causes security errors ? it is'nt "<" neighter ">" ??
5
by: Nick | last post by:
I am working on an application for a client that will involve using remoting. They do not want to use integrated security so I was going to store usernames and hashed passwords in a SQL Database. ...
29
by: Martin | last post by:
Sorry, the prior message was multi-posted. Here's a cross-posted version. Please disregard the other one. Is there a way to create and encrypted database file? What do people do when data...
1
by: Jeremy S. | last post by:
..NET's code Access Security enables administrators to restrict the types of things that a .NET application can do on a local computer. For example, a ..NET Windows Forms application can be...
0
by: abbasky | last post by:
### Vandf component communication method one: data sharing ​ Vandf components can achieve data exchange through data sharing, state sharing, events, and other methods. Vandf's data exchange method...
0
by: stefan129 | last post by:
Hey forum members, I'm exploring options for SSL certificates for multiple domains. Has anyone had experience with multi-domain SSL certificates? Any recommendations on reliable providers or specific...
0
Git
by: egorbl4 | last post by:
Скачал я git, хотел начать настройку, а там вылезло вот это Что это? Что мне с этим делать? ...
1
by: davi5007 | last post by:
Hi, Basically, I am trying to automate a field named TraceabilityNo into a web page from an access form. I've got the serial held in the variable strSearchString. How can I get this into the...
0
by: DolphinDB | last post by:
The formulas of 101 quantitative trading alphas used by WorldQuant were presented in the paper 101 Formulaic Alphas. However, some formulas are complex, leading to challenges in calculation. Take...
0
by: DolphinDB | last post by:
Tired of spending countless mintues downsampling your data? Look no further! In this article, you’ll learn how to efficiently downsample 6.48 billion high-frequency records to 61 million...
0
by: Aftab Ahmad | last post by:
So, I have written a code for a cmd called "Send WhatsApp Message" to open and send WhatsApp messaage. The code is given below. Dim IE As Object Set IE =...
0
by: marcoviolo | last post by:
Dear all, I would like to implement on my worksheet an vlookup dynamic , that consider a change of pivot excel via win32com, from an external excel (without open it) and save the new file into a...
0
isladogs
by: isladogs | last post by:
The next Access Europe meeting will be on Wednesday 6 Mar 2024 starting at 18:00 UK time (6PM UTC) and finishing at about 19:15 (7.15PM). In this month's session, we are pleased to welcome back...

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.