472,958 Members | 2,090 Online
Bytes | Software Development & Data Engineering Community
Post Job

Home Posts Topics Members FAQ

home > topics > .net framework > questions > web service security - .net 2.0

Join Bytes to post your question to a community of 472,958 software developers and data experts.

Web service security - .NET 2.0

Hi,

I have a set up where a windows client connects to a web service to retrieve
a license file. The client is a consumer product which is beeing distributed
to multiple locations.

1) I would like to restrict the web service so it only can be called from my
application
2) I guess that I have to encrypt and sign all data which is being send over
the wire, or can I just use SSL. What is recommended?

Thanks

Henrik.
Nov 23 '05 #1
4 3779
Hi Henrik,

Welcome to Webservice newsgroup.
Regarding on the authentication/security questions, here are some of my
understanding:

As for your scenario, I think the main requirement is provide an
authentication/identification mechanism to check and identify the
clientside caller. e.g using a custom database for storing client user
accounts.

Then, after we have such an authentication/identifying mechanism, what we
need to consider later is secure the webservice SOAP message contents
transmit over the internet. As for this task, I think we have the
following options:

1. Transport Layer security. A typical approach is using SSL/TLS, this
approach rely on the underlying transport layer(using http) and the
clientside /serverside support for security protocol( SSL/TLS...) . Also,
one drawback of this is that such transport layer security works only in
point to point scenario(no other intermediate proxy or agency between the
clientside and serverside...)

2. To address the problem in #1, we can instead use Message Layer security
which means we secure the Soap Xml message. This will overcome those
problems like platform dependent or mutiple intermediate proxy hop... And
the WSE component is just addressing on Message layer Security for .NET
webservice which conforms to WS-SecurityXXX specifications. Also, the
drawback is that doing message layer security require more custom works and
will somewhat make the SOAP message much larger than original.

Just some of my opinion.
Hope helps. Thanks,

Steven Cheng
Microsoft Online Support

Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)

--------------------
From: "Henrik Skak Pedersen" <sk**@community.nospam>
Subject: Web service security - .NET 2.0
Date: Mon, 21 Nov 2005 16:57:56 +0100
Lines: 16
X-Priority: 3
X-MSMail-Priority: Normal
X-Newsreader: Microsoft Outlook Express 6.00.2900.2180
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180
X-RFC2646: Format=Flowed; Original
Message-ID: <u#**************@TK2MSFTNGP11.phx.gbl>
Newsgroups: microsoft.public.dotnet.framework.webservices
NNTP-Posting-Host: 80.63.142.94
Path: TK2MSFTNGXA02.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFT NGP11.phx.gbl
microsoft.public.dotnet.framework.webservices:1279 2
X-Tomcat-NG: microsoft.public.dotnet.framework.webservices

Hi,

I have a set up where a windows client connects to a web service to retrieve
a license file. The client is a consumer product which is beeing distributed
to multiple locations.

1) I would like to restrict the web service so it only can be called from my
application
2) I guess that I have to encrypt and sign all data which is being send over
the wire, or can I just use SSL. What is recommended?

Thanks

Henrik.

Nov 23 '05 #2
Hi Henrik,

How are doing on this? Does the information I provided in the former reply
helps you a little? If there're anything else we can help, please feel free
to post here.

Thanks,

Steven Cheng
Microsoft Online Support

Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)

--------------------
X-Tomcat-ID: 126424748
References: <u#**************@TK2MSFTNGP11.phx.gbl>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----=_NextPart_0001_0BC2D3D9"
Content-Transfer-Encoding: 7bit
From: st*****@online.microsoft.com (Steven Cheng[MSFT])
Organization: Microsoft
Date: Tue, 22 Nov 2005 06:58:33 GMT
Subject: RE: Web service security - .NET 2.0
X-Tomcat-NG: microsoft.public.dotnet.framework.webservices
Message-ID: <K#**************@TK2MSFTNGXA02.phx.gbl>
Newsgroups: microsoft.public.dotnet.framework.webservices
Lines: 162
Path: TK2MSFTNGXA02.phx.gbl
microsoft.public.dotnet.framework.webservices:1280 2
NNTP-Posting-Host: TOMCATIMPORT1 10.201.218.122

Hi Henrik,

Welcome to Webservice newsgroup.
Regarding on the authentication/security questions, here are some of my
understanding:

As for your scenario, I think the main requirement is provide an
authentication/identification mechanism to check and identify the
clientside caller. e.g using a custom database for storing client user
accounts.

Then, after we have such an authentication/identifying mechanism, what we
need to consider later is secure the webservice SOAP message contents
transmit over the internet. As for this task, I think we have the
following options:

1. Transport Layer security. A typical approach is using SSL/TLS, this
approach rely on the underlying transport layer(using http) and the
clientside /serverside support for security protocol( SSL/TLS...) . Also,
one drawback of this is that such transport layer security works only in
point to point scenario(no other intermediate proxy or agency between the
clientside and serverside...)

2. To address the problem in #1, we can instead use Message Layer security
which means we secure the Soap Xml message. This will overcome those
problems like platform dependent or mutiple intermediate proxy hop... And
the WSE component is just addressing on Message layer Security for .NET
webservice which conforms to WS-SecurityXXX specifications. Also, the
drawback is that doing message layer security require more custom works and
will somewhat make the SOAP message much larger than original.

Just some of my opinion.
Hope helps. Thanks,

Steven Cheng
Microsoft Online Support

Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)

--------------------
From: "Henrik Skak Pedersen" <sk**@community.nospam>
Subject: Web service security - .NET 2.0
Date: Mon, 21 Nov 2005 16:57:56 +0100
Lines: 16
X-Priority: 3
X-MSMail-Priority: Normal
X-Newsreader: Microsoft Outlook Express 6.00.2900.2180
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180
X-RFC2646: Format=Flowed; Original
Message-ID: <u#**************@TK2MSFTNGP11.phx.gbl>
Newsgroups: microsoft.public.dotnet.framework.webservices
NNTP-Posting-Host: 80.63.142.94
Path: TK2MSFTNGXA02.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFT NGP11.phx.gbl
microsoft.public.dotnet.framework.webservices:1279 2
X-Tomcat-NG: microsoft.public.dotnet.framework.webservices

Hi,

I have a set up where a windows client connects to a web service to retrieve
a license file. The client is a consumer product which is beeing distributed
to multiple locations.

1) I would like to restrict the web service so it only can be called from my
application
2) I guess that I have to encrypt and sign all data which is being send over
the wire, or can I just use SSL. What is recommended?

Thanks

Henrik.

Nov 24 '05 #3
Hi Steven,

Thank you very much for your reply. I have decided to use
UserNameOverTransportAssertion.

Thanks Henrik
"Steven Cheng[MSFT]" <st*****@online.microsoft.com> wrote in message
news:Hw*************@TK2MSFTNGXA02.phx.gbl...
Hi Henrik,

How are doing on this? Does the information I provided in the former reply
helps you a little? If there're anything else we can help, please feel
free
to post here.

Thanks,

Steven Cheng
Microsoft Online Support

Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)

--------------------
X-Tomcat-ID: 126424748
References: <u#**************@TK2MSFTNGP11.phx.gbl>
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="----=_NextPart_0001_0BC2D3D9"
Content-Transfer-Encoding: 7bit
From: st*****@online.microsoft.com (Steven Cheng[MSFT])
Organization: Microsoft
Date: Tue, 22 Nov 2005 06:58:33 GMT
Subject: RE: Web service security - .NET 2.0
X-Tomcat-NG: microsoft.public.dotnet.framework.webservices
Message-ID: <K#**************@TK2MSFTNGXA02.phx.gbl>
Newsgroups: microsoft.public.dotnet.framework.webservices
Lines: 162
Path: TK2MSFTNGXA02.phx.gbl
Xref: TK2MSFTNGXA02.phx.gbl
microsoft.public.dotnet.framework.webservices:1280 2
NNTP-Posting-Host: TOMCATIMPORT1 10.201.218.122

Hi Henrik,

Welcome to Webservice newsgroup.
Regarding on the authentication/security questions, here are some of my
understanding:

As for your scenario, I think the main requirement is provide an
authentication/identification mechanism to check and identify the
clientside caller. e.g using a custom database for storing client user
accounts.

Then, after we have such an authentication/identifying mechanism, what we
need to consider later is secure the webservice SOAP message contents
transmit over the internet. As for this task, I think we have the
following options:

1. Transport Layer security. A typical approach is using SSL/TLS, this
approach rely on the underlying transport layer(using http) and the
clientside /serverside support for security protocol( SSL/TLS...) . Also,
one drawback of this is that such transport layer security works only in
point to point scenario(no other intermediate proxy or agency between the
clientside and serverside...)

2. To address the problem in #1, we can instead use Message Layer security
which means we secure the Soap Xml message. This will overcome those
problems like platform dependent or mutiple intermediate proxy hop...
And
the WSE component is just addressing on Message layer Security for .NET
webservice which conforms to WS-SecurityXXX specifications. Also, the
drawback is that doing message layer security require more custom works
and
will somewhat make the SOAP message much larger than original.

Just some of my opinion.
Hope helps. Thanks,

Steven Cheng
Microsoft Online Support

Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)

--------------------
From: "Henrik Skak Pedersen" <sk**@community.nospam>
Subject: Web service security - .NET 2.0
Date: Mon, 21 Nov 2005 16:57:56 +0100
Lines: 16
X-Priority: 3
X-MSMail-Priority: Normal
X-Newsreader: Microsoft Outlook Express 6.00.2900.2180
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180
X-RFC2646: Format=Flowed; Original
Message-ID: <u#**************@TK2MSFTNGP11.phx.gbl>
Newsgroups: microsoft.public.dotnet.framework.webservices
NNTP-Posting-Host: 80.63.142.94
Path: TK2MSFTNGXA02.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFT NGP11.phx.gbl
Xref: TK2MSFTNGXA02.phx.gbl
microsoft.public.dotnet.framework.webservices:1279 2
X-Tomcat-NG: microsoft.public.dotnet.framework.webservices

Hi,

I have a set up where a windows client connects to a web service to
retrieve
a license file. The client is a consumer product which is beeing
distributed
to multiple locations.

1) I would like to restrict the web service so it only can be called from
my
application
2) I guess that I have to encrypt and sign all data which is being send
over
the wire, or can I just use SSL. What is recommended?

Thanks

Henrik.


Nov 24 '05 #4
Thanks for your followup Henrik,

Good luck!

Steven Cheng
Microsoft Online Support

Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)

--------------------
From: "Henrik Skak Pedersen" <sk**@community.nospam>
References: <u#**************@TK2MSFTNGP11.phx.gbl>
<K#**************@TK2MSFTNGXA02.phx.gbl>
<Hw*************@TK2MSFTNGXA02.phx.gbl>
Subject: Re: Web service security - .NET 2.0
Date: Thu, 24 Nov 2005 17:03:38 +0100
Lines: 134
X-Priority: 3
X-MSMail-Priority: Normal
X-Newsreader: Microsoft Outlook Express 6.00.2900.2180
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180
X-RFC2646: Format=Flowed; Original
Message-ID: <eD**************@TK2MSFTNGP15.phx.gbl>
Newsgroups: microsoft.public.dotnet.framework.webservices
NNTP-Posting-Host: 80.63.142.94
Path: TK2MSFTNGXA02.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFT NGP15.phx.gbl
microsoft.public.dotnet.framework.webservices:1283 2
X-Tomcat-NG: microsoft.public.dotnet.framework.webservices

Hi Steven,

Thank you very much for your reply. I have decided to use
UserNameOverTransportAssertion.

Thanks Henrik
"Steven Cheng[MSFT]" <st*****@online.microsoft.com> wrote in message
news:Hw*************@TK2MSFTNGXA02.phx.gbl...
Hi Henrik,

How are doing on this? Does the information I provided in the former reply
helps you a little? If there're anything else we can help, please feel
free
to post here.

Thanks,

Steven Cheng
Microsoft Online Support

Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)

--------------------
X-Tomcat-ID: 126424748
References: <u#**************@TK2MSFTNGP11.phx.gbl>
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="----=_NextPart_0001_0BC2D3D9"
Content-Transfer-Encoding: 7bit
From: st*****@online.microsoft.com (Steven Cheng[MSFT])
Organization: Microsoft
Date: Tue, 22 Nov 2005 06:58:33 GMT
Subject: RE: Web service security - .NET 2.0
X-Tomcat-NG: microsoft.public.dotnet.framework.webservices
Message-ID: <K#**************@TK2MSFTNGXA02.phx.gbl>
Newsgroups: microsoft.public.dotnet.framework.webservices
Lines: 162
Path: TK2MSFTNGXA02.phx.gbl
Xref: TK2MSFTNGXA02.phx.gbl
microsoft.public.dotnet.framework.webservices:1280 2
NNTP-Posting-Host: TOMCATIMPORT1 10.201.218.122

Hi Henrik,

Welcome to Webservice newsgroup.
Regarding on the authentication/security questions, here are some of my
understanding:

As for your scenario, I think the main requirement is provide an
authentication/identification mechanism to check and identify the
clientside caller. e.g using a custom database for storing client user
accounts.

Then, after we have such an authentication/identifying mechanism, what we
need to consider later is secure the webservice SOAP message contents
transmit over the internet. As for this task, I think we have the
following options:

1. Transport Layer security. A typical approach is using SSL/TLS, this
approach rely on the underlying transport layer(using http) and the
clientside /serverside support for security protocol( SSL/TLS...) . Also,
one drawback of this is that such transport layer security works only in
point to point scenario(no other intermediate proxy or agency between the
clientside and serverside...)

2. To address the problem in #1, we can instead use Message Layer security
which means we secure the Soap Xml message. This will overcome those
problems like platform dependent or mutiple intermediate proxy hop...
And
the WSE component is just addressing on Message layer Security for .NET
webservice which conforms to WS-SecurityXXX specifications. Also, the
drawback is that doing message layer security require more custom works
and
will somewhat make the SOAP message much larger than original.

Just some of my opinion.
Hope helps. Thanks,

Steven Cheng
Microsoft Online Support

Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)

--------------------
From: "Henrik Skak Pedersen" <sk**@community.nospam>
Subject: Web service security - .NET 2.0
Date: Mon, 21 Nov 2005 16:57:56 +0100
Lines: 16
X-Priority: 3
X-MSMail-Priority: Normal
X-Newsreader: Microsoft Outlook Express 6.00.2900.2180
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180
X-RFC2646: Format=Flowed; Original
Message-ID: <u#**************@TK2MSFTNGP11.phx.gbl>
Newsgroups: microsoft.public.dotnet.framework.webservices
NNTP-Posting-Host: 80.63.142.94
Path: TK2MSFTNGXA02.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFT NGP11.phx.gbl
Xref: TK2MSFTNGXA02.phx.gbl
microsoft.public.dotnet.framework.webservices:1279 2
X-Tomcat-NG: microsoft.public.dotnet.framework.webservices

Hi,

I have a set up where a windows client connects to a web service to
retrieve
a license file. The client is a consumer product which is beeing
distributed
to multiple locations.

1) I would like to restrict the web service so it only can be called from
my
application
2) I guess that I have to encrypt and sign all data which is being send
over
the wire, or can I just use SSL. What is recommended?

Thanks

Henrik.



Nov 25 '05 #5
New Post

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

2
Windows 2003 Service
by: cd | last post by:
Is there a specific process or permissions that must be granted to get a .NET (framework 1.4) Window Service to run properly on a Windows 2003 Server? I built a Windows Service to start two local...
.NET Framework
2
not associated with trusted SQL Server problem - windows service
by: epaetz | last post by:
I'm getting Not associated with a trusted SQL Server connection errors on a .Net windows service I wrote, when it's running on my application server. It's not a problem with mixed mode...
Microsoft SQL Server
3
Windows Service cannot create text files?
by: Amjad | last post by:
Hi, I just wrote a test Windows Service that creates a text file on startup (please see my code below). The file is never created. Protected Overrides Sub OnStart(ByVal args() As String) Dim...
Visual Basic .NET
5
User authentication through web service (follow up)
by: Buddy Ackerman | last post by:
My app is a .NET forms app that runs in the taskbar and periodically polls a web service. I have a client that wants the app to integrate with their Active Directory. They do not want the user to...
.NET Framework
4
.NET XML Web Service interop
by: Kevin Burton | last post by:
I found an article on calling a .NET web service from Java but it seemed to rely on GLUE and I was unable to find out how to download that software. There seems to be alot written on the Sun site,...
.NET Framework
16
problems starting a Network service
by: sunil | last post by:
Hi, I have a service written in c# that I need to run as a "Network Service". I am using a setup project to install the service. If I install the service in User's Personal Folder, I get the...
C# / C Sharp
33
Getting logged in user from a service?
by: JamesB | last post by:
I am writing a service that monitors when a particular app is started. Works, but I need to get the user who is currently logged in, and of course Environment.UserName returns the service logon...
C# / C Sharp
0
C# - soap exception when one web service calls another
by: yoozioo | last post by:
hello, This year I'm learning C# at school and now we focus on web services. I created and published a web service which contains a method that calls another web service written by my class...
.NET Framework
3
C# SOAP Authentication to non C# web service
by: Enda Manni | last post by:
Hi, I have a gSoap Web Service written using C++, it uses SOAP username and password authentication. I also have a C# form client consuming the web service, all this was working fine until...
C# / C Sharp
0
React to native button blinking effect
by: lllomh | last post by:
Define the method first this.state = { buttonBackgroundColor: 'green', isBlinking: false, // A new status is added to identify whether the button is blinking or not } autoStart=()=>{
Software Development
2
Windows 11 and Access Combo Box Issue
by: DJRhino | last post by:
Was curious if anyone else was having this same issue or not.... I was just Up/Down graded to windows 11 and now my access combo boxes are not acting right. With win 10 I could start typing...
Microsoft Access / VBA
2
isladogs
Access Europe meeting on Wed 4 Oct - The future of Access
by: isladogs | last post by:
The next Access Europe meeting will be on Wednesday 4 Oct 2023 starting at 18:00 UK time (6PM UTC+1) and finishing at about 19:15 (7.15PM) The start time is equivalent to 19:00 (7PM) in Central...
Microsoft Access / VBA
0
How to find best mobile app development company in usa
by: Aliciasmith | last post by:
In an age dominated by smartphones, having a mobile app for your business is no longer an option; it's a necessity. Whether you're a startup or an established enterprise, finding the right mobile app...
Mobile Development
0
tracyyun
Can faster file sharing be achieved by connecting computers simultaneously via WiFi and LAN cables
by: tracyyun | last post by:
Hello everyone, I have a question and would like some advice on network connectivity. I have one computer connected to my router via WiFi, but I have two other computers that I want to be able to...
Networking - Hardware / Configuration
4
NeoPa
Send Current Object to PDF
by: NeoPa | last post by:
Hello everyone. I find myself stuck trying to find the VBA way to get Access to create a PDF of the currently-selected (and open) object (Form or Report). I know it can be done by selecting :...
Microsoft Access / VBA
1
Report value list
by: Teri B | last post by:
Hi, I have created a sub-form Roles. In my course form the user selects the roles assigned to the course. 0ne-to-many. One course many roles. Then I created a report based on the Course form and...
Microsoft Access / VBA
0
isladogs
Access Europe Meeting - Wed 1 Nov - Using SQL Server skills to extend Access
by: isladogs | last post by:
The next Access Europe meeting will be on Wednesday 1 Nov 2023 starting at 18:00 UK time (6PM UTC) and finishing at about 19:15 (7.15PM) Please note that the UK and Europe revert to winter time on...
Microsoft Access / VBA
0
NeoPa
VBA Class Basics (Report Class)
by: NeoPa | last post by:
Introduction For this article I'll be focusing on the Report (clsReport) class. This simply handles making the calling Form invisible until all of the Reports opened by it have been closed, when it...
Microsoft Access / VBA

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.

BYTES.COM © 2023
About Bytes
Terms Of Use
Privacy Policy
Sitemap
Advertise on Bytes:
Post a Job
Sponsored Posts
Platinum & Gold Sponsors
Hire Now!