By using this site, you agree to our updated Privacy Policy and our Terms of Use. Manage your Cookies Settings.
424,825 Members | 1,281 Online
Bytes IT Community
+ Ask a Question
Need help? Post your question and get tips & solutions from a community of 424,825 IT Pros & Developers. It's quick & easy.

Adding security to a web service without using WSE

P: n/a
I need advice about adding security to a web service without using WSE, as
the clients will run Win98.

Nov 23 '05 #1
Share this Question
Share on Google+
4 Replies


P: n/a
>I need advice about adding security to a web service without using WSE, as
the clients will run Win98.


What sort of security? You have three levels of web service security:
Platform / Transport-level
The transportation channel (usually HTTP) provides this level. It can be IIS
authentication such as basic, digest, integrated and certificate
authententication. SSL and IPSec can be used to encrypt SOAP messages on
this level.

Application-level
You can use custom SOAP headers to pass user credentials from authentication
purposes with each request. You can also encrypt parts of the message using
the crypto classes in .NET.

Message-level
This is where WSE helps out the most. You can pass WS-Security tokens, such
as Kerberos tickets and X509 certificates in SOAP headers to authenticate
uses. You can sign the message or use XML encryption to ensure the integrity
of the message.

If you just need authentication IIS authentication should all that you need.

Anders Norås
http://dotnetjunkies.com/weblog/anoras/
Nov 23 '05 #2

P: n/a
How to pass Soap headers for the application level security?
How to do this with a classic Asp page?
Thanks

"Anders Norås [MCAD]" <an**********@objectware.no> ha scritto nel messaggio
news:%2****************@TK2MSFTNGP14.phx.gbl...
I need advice about adding security to a web service without using WSE, as the clients will run Win98.
What sort of security? You have three levels of web service security:
Platform / Transport-level
The transportation channel (usually HTTP) provides this level. It can be

IIS authentication such as basic, digest, integrated and certificate
authententication. SSL and IPSec can be used to encrypt SOAP messages on
this level.

Application-level
You can use custom SOAP headers to pass user credentials from authentication purposes with each request. You can also encrypt parts of the message using the crypto classes in .NET.

Message-level
This is where WSE helps out the most. You can pass WS-Security tokens, such as Kerberos tickets and X509 certificates in SOAP headers to authenticate
uses. You can sign the message or use XML encryption to ensure the integrity of the message.

If you just need authentication IIS authentication should all that you need.
Anders Norås
http://dotnetjunkies.com/weblog/anoras/

Nov 23 '05 #3

P: n/a
Hi,

To do this, you've got a long road (well, not that long). You need to
implement the WS-Security specification yourself on the caller's side.
Once you've done this, and tested interoperability with your server side,
you should be OK. The specs are pretty clear, and an experienced
programmer should be able to do this in a day or so. (assuming experience
in XML, DOM, and cryptography - and have access to the right crypto library
implementations).

Win98 is problematic, since it is at end of life. Advise you to upgrade to
XP asap.

Regards

Dan Rogers
Microsoft Corporation
--------------------
From: "Filippo" <fi*********************************@powersoft.i t>
Newsgroups: microsoft.public.dotnet.framework.webservices
Subject: Re: Adding security to a web service without using WSE
Date: Mon, 13 Dec 2004 16:37:53 +0100
Lines: 42
Message-ID: <32*************@individual.net>
References: <19**********************************@microsoft.co m>
<#I**************@TK2MSFTNGP14.phx.gbl>
X-Trace: individual.net Y23zbn8fTCysa5q/y8tGBAlF9zlgbyrssexsxV8d7FCKeZ9FZo
X-Priority: 3
X-MSMail-Priority: Normal
X-Newsreader: Microsoft Outlook Express 6.00.2800.1409
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1409
Path:
cpmsftngxa10.phx.gbl!TK2MSFTFEED02.phx.gbl!TK2MSFT NGP08.phx.gbl!newsfeed00.s
ul.t-online.de!t-online.de!newsfeed.freenet.de!fu-berlin.de!uni-berlin.de!in
dividual.net!not-for-mail
Xref: cpmsftngxa10.phx.gbl
microsoft.public.dotnet.framework.webservices:8041
X-Tomcat-NG: microsoft.public.dotnet.framework.webservices

How to pass Soap headers for the application level security?
How to do this with a classic Asp page?
Thanks

"Anders Norås [MCAD]" <an**********@objectware.no> ha scritto nel messaggio
news:%2****************@TK2MSFTNGP14.phx.gbl...
I need advice about adding security to a web service without using WSE, as the clients will run Win98.
What sort of security? You have three levels of web service security:
Platform / Transport-level
The transportation channel (usually HTTP) provides this level. It can be

IIS authentication such as basic, digest, integrated and certificate
authententication. SSL and IPSec can be used to encrypt SOAP messages on
this level.

Application-level
You can use custom SOAP headers to pass user credentials from authentication purposes with each request. You can also encrypt parts of the message using the crypto classes in .NET.

Message-level
This is where WSE helps out the most. You can pass WS-Security tokens, such as Kerberos tickets and X509 certificates in SOAP headers to authenticate
uses. You can sign the message or use XML encryption to ensure the integrity of the message.

If you just need authentication IIS authentication should all that you need.
Anders Norås
http://dotnetjunkies.com/weblog/anoras/


Nov 23 '05 #4

P: n/a
If you dont want to use WSE at the client when you want to make request to a
WSe enable Web service, you can build the security token on the client with
the appropriate name spaces using a Custom header class when passed the
request to the server.

[.......Your Envelop]
[Custorm header which generate the WSE security token]
[End of you envelop]

i.e at the end of day you need to create and send a request which WSE
enabled webservices would understand.

"razvan" wrote:
I need advice about adding security to a web service without using WSE, as
the clients will run Win98.

Nov 23 '05 #5

This discussion thread is closed

Replies have been disabled for this discussion.