473,287 Members | 1,834 Online
Bytes | Software Development & Data Engineering Community
Post Job

Home Posts Topics Members FAQ

Join Bytes to post your question to a community of 473,287 software developers and data experts.

Adding security to a web service without using WSE

I need advice about adding security to a web service without using WSE, as
the clients will run Win98.

Nov 23 '05 #1
4 3444
>I need advice about adding security to a web service without using WSE, as
the clients will run Win98.


What sort of security? You have three levels of web service security:
Platform / Transport-level
The transportation channel (usually HTTP) provides this level. It can be IIS
authentication such as basic, digest, integrated and certificate
authententication. SSL and IPSec can be used to encrypt SOAP messages on
this level.

Application-level
You can use custom SOAP headers to pass user credentials from authentication
purposes with each request. You can also encrypt parts of the message using
the crypto classes in .NET.

Message-level
This is where WSE helps out the most. You can pass WS-Security tokens, such
as Kerberos tickets and X509 certificates in SOAP headers to authenticate
uses. You can sign the message or use XML encryption to ensure the integrity
of the message.

If you just need authentication IIS authentication should all that you need.

Anders Norås
http://dotnetjunkies.com/weblog/anoras/
Nov 23 '05 #2
How to pass Soap headers for the application level security?
How to do this with a classic Asp page?
Thanks

"Anders Norås [MCAD]" <an**********@objectware.no> ha scritto nel messaggio
news:%2****************@TK2MSFTNGP14.phx.gbl...
I need advice about adding security to a web service without using WSE, as the clients will run Win98.
What sort of security? You have three levels of web service security:
Platform / Transport-level
The transportation channel (usually HTTP) provides this level. It can be

IIS authentication such as basic, digest, integrated and certificate
authententication. SSL and IPSec can be used to encrypt SOAP messages on
this level.

Application-level
You can use custom SOAP headers to pass user credentials from authentication purposes with each request. You can also encrypt parts of the message using the crypto classes in .NET.

Message-level
This is where WSE helps out the most. You can pass WS-Security tokens, such as Kerberos tickets and X509 certificates in SOAP headers to authenticate
uses. You can sign the message or use XML encryption to ensure the integrity of the message.

If you just need authentication IIS authentication should all that you need.
Anders Norås
http://dotnetjunkies.com/weblog/anoras/

Nov 23 '05 #3
Hi,

To do this, you've got a long road (well, not that long). You need to
implement the WS-Security specification yourself on the caller's side.
Once you've done this, and tested interoperability with your server side,
you should be OK. The specs are pretty clear, and an experienced
programmer should be able to do this in a day or so. (assuming experience
in XML, DOM, and cryptography - and have access to the right crypto library
implementations).

Win98 is problematic, since it is at end of life. Advise you to upgrade to
XP asap.

Regards

Dan Rogers
Microsoft Corporation
--------------------
From: "Filippo" <fi*********************************@powersoft.i t>
Newsgroups: microsoft.public.dotnet.framework.webservices
Subject: Re: Adding security to a web service without using WSE
Date: Mon, 13 Dec 2004 16:37:53 +0100
Lines: 42
Message-ID: <32*************@individual.net>
References: <19**********************************@microsoft.co m>
<#I**************@TK2MSFTNGP14.phx.gbl>
X-Trace: individual.net Y23zbn8fTCysa5q/y8tGBAlF9zlgbyrssexsxV8d7FCKeZ9FZo
X-Priority: 3
X-MSMail-Priority: Normal
X-Newsreader: Microsoft Outlook Express 6.00.2800.1409
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1409
Path:
cpmsftngxa10.phx.gbl!TK2MSFTFEED02.phx.gbl!TK2MSFT NGP08.phx.gbl!newsfeed00.s
ul.t-online.de!t-online.de!newsfeed.freenet.de!fu-berlin.de!uni-berlin.de!in
dividual.net!not-for-mail
Xref: cpmsftngxa10.phx.gbl
microsoft.public.dotnet.framework.webservices:8041
X-Tomcat-NG: microsoft.public.dotnet.framework.webservices

How to pass Soap headers for the application level security?
How to do this with a classic Asp page?
Thanks

"Anders Norås [MCAD]" <an**********@objectware.no> ha scritto nel messaggio
news:%2****************@TK2MSFTNGP14.phx.gbl...
I need advice about adding security to a web service without using WSE, as the clients will run Win98.
What sort of security? You have three levels of web service security:
Platform / Transport-level
The transportation channel (usually HTTP) provides this level. It can be

IIS authentication such as basic, digest, integrated and certificate
authententication. SSL and IPSec can be used to encrypt SOAP messages on
this level.

Application-level
You can use custom SOAP headers to pass user credentials from authentication purposes with each request. You can also encrypt parts of the message using the crypto classes in .NET.

Message-level
This is where WSE helps out the most. You can pass WS-Security tokens, such as Kerberos tickets and X509 certificates in SOAP headers to authenticate
uses. You can sign the message or use XML encryption to ensure the integrity of the message.

If you just need authentication IIS authentication should all that you need.
Anders Norås
http://dotnetjunkies.com/weblog/anoras/


Nov 23 '05 #4
If you dont want to use WSE at the client when you want to make request to a
WSe enable Web service, you can build the security token on the client with
the appropriate name spaces using a Custom header class when passed the
request to the server.

[.......Your Envelop]
[Custorm header which generate the WSE security token]
[End of you envelop]

i.e at the end of day you need to create and send a request which WSE
enabled webservices would understand.

"razvan" wrote:
I need advice about adding security to a web service without using WSE, as
the clients will run Win98.

Nov 23 '05 #5

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

0
by: Fabrice DG | last post by:
Hi all. I don't know if this post is really at the right place but I hope someone can help me.. I developed a NT service, in order to automate mail exchanges between different kind of users This...
3
by: MIGUEL | last post by:
Hi all, I'm quite lost with how adding web references to a project creates proxy classes. I've developed a web service with two classes inside and that contains three references to three...
5
by: Rakesh Rathod | last post by:
Hi, I need to invoke a web service dynamically at runtime without adding a web reference. I need to do this through a C# application (.NET 2.0). At runtime my application will get the url of the...
4
by: Dinsdale | last post by:
I'm looking at adding scheduling features to an application and I wanted to ask the community about any experience with scheduling components, either open source like from code project or from a...
0
by: jacorona | last post by:
Hello all, I have found a problem accesing a web service hosted in IIS 5.0 in a W2K box. The web service site is configured to accept both integrated windows authentication and client certificates....
2
by: ChrisCicc | last post by:
Hi All, I got a real doozy here. I have read hundreds upon hundreds of forum posts and found numerous others who have replicated this problem, but have yet to find a solution. Through testing I have...
0
by: AndyL69 | last post by:
Hello I've got a very strange Problem. When im adding a new ACE entry to a UNC Direcotry the inherented ACL's will be lost. When I'm adding a new ACE to a directory / file in this UNC path the...
8
by: =?Utf-8?B?TWFuanJlZSBHYXJn?= | last post by:
Hi, I created a web service and hosted it in Windows Services. It is working fine. Now I am trying to implement the X509 certificates for message layer security. But it is throwing the following...
2
by: Ken Fine | last post by:
I want to add the security question and answer security feature to the ChangePassword control. I am aware that this functionality is built into the PasswordRecovery tool. I have implemented the...
2
isladogs
by: isladogs | last post by:
The next Access Europe meeting will be on Wednesday 7 Feb 2024 starting at 18:00 UK time (6PM UTC) and finishing at about 19:30 (7.30PM). In this month's session, the creator of the excellent VBE...
0
by: MeoLessi9 | last post by:
I have VirtualBox installed on Windows 11 and now I would like to install Kali on a virtual machine. However, on the official website, I see two options: "Installer images" and "Virtual machines"....
0
by: Aftab Ahmad | last post by:
So, I have written a code for a cmd called "Send WhatsApp Message" to open and send WhatsApp messaage. The code is given below. Dim IE As Object Set IE =...
0
by: ryjfgjl | last post by:
ExcelToDatabase: batch import excel into database automatically...
0
isladogs
by: isladogs | last post by:
The next Access Europe meeting will be on Wednesday 6 Mar 2024 starting at 18:00 UK time (6PM UTC) and finishing at about 19:15 (7.15PM). In this month's session, we are pleased to welcome back...
0
by: marcoviolo | last post by:
Dear all, I would like to implement on my worksheet an vlookup dynamic , that consider a change of pivot excel via win32com, from an external excel (without open it) and save the new file into a...
0
by: Vimpel783 | last post by:
Hello! Guys, I found this code on the Internet, but I need to modify it a little. It works well, the problem is this: Data is sent from only one cell, in this case B5, but it is necessary that data...
0
by: jfyes | last post by:
As a hardware engineer, after seeing that CEIWEI recently released a new tool for Modbus RTU Over TCP/UDP filtering and monitoring, I actively went to its official website to take a look. It turned...
1
by: PapaRatzi | last post by:
Hello, I am teaching myself MS Access forms design and Visual Basic. I've created a table to capture a list of Top 30 singles and forms to capture new entries. The final step is a form (unbound)...

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.