473,386 Members | 1,736 Online
Bytes | Software Development & Data Engineering Community
Post Job

Home Posts Topics Members FAQ

home > topics > .net framework > questions > web service security - .net 2.0

Join Bytes to post your question to a community of 473,386 software developers and data experts.

Web service security - .NET 2.0

Hi,

I have a set up where a windows client connects to a web service to retrieve
a license file. The client is a consumer product which is beeing distributed
to multiple locations.

1) I would like to restrict the web service so it only can be called from my
application
2) I guess that I have to encrypt and sign all data which is being send over
the wire, or can I just use SSL. What is recommended?

Thanks

Henrik.
Nov 23 '05 #1
4 3806
Hi Henrik,

Welcome to Webservice newsgroup.
Regarding on the authentication/security questions, here are some of my
understanding:

As for your scenario, I think the main requirement is provide an
authentication/identification mechanism to check and identify the
clientside caller. e.g using a custom database for storing client user
accounts.

Then, after we have such an authentication/identifying mechanism, what we
need to consider later is secure the webservice SOAP message contents
transmit over the internet. As for this task, I think we have the
following options:

1. Transport Layer security. A typical approach is using SSL/TLS, this
approach rely on the underlying transport layer(using http) and the
clientside /serverside support for security protocol( SSL/TLS...) . Also,
one drawback of this is that such transport layer security works only in
point to point scenario(no other intermediate proxy or agency between the
clientside and serverside...)

2. To address the problem in #1, we can instead use Message Layer security
which means we secure the Soap Xml message. This will overcome those
problems like platform dependent or mutiple intermediate proxy hop... And
the WSE component is just addressing on Message layer Security for .NET
webservice which conforms to WS-SecurityXXX specifications. Also, the
drawback is that doing message layer security require more custom works and
will somewhat make the SOAP message much larger than original.

Just some of my opinion.
Hope helps. Thanks,

Steven Cheng
Microsoft Online Support

Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)

--------------------
From: "Henrik Skak Pedersen" <sk**@community.nospam>
Subject: Web service security - .NET 2.0
Date: Mon, 21 Nov 2005 16:57:56 +0100
Lines: 16
X-Priority: 3
X-MSMail-Priority: Normal
X-Newsreader: Microsoft Outlook Express 6.00.2900.2180
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180
X-RFC2646: Format=Flowed; Original
Message-ID: <u#**************@TK2MSFTNGP11.phx.gbl>
Newsgroups: microsoft.public.dotnet.framework.webservices
NNTP-Posting-Host: 80.63.142.94
Path: TK2MSFTNGXA02.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFT NGP11.phx.gbl
microsoft.public.dotnet.framework.webservices:1279 2
X-Tomcat-NG: microsoft.public.dotnet.framework.webservices

Hi,

I have a set up where a windows client connects to a web service to retrieve
a license file. The client is a consumer product which is beeing distributed
to multiple locations.

1) I would like to restrict the web service so it only can be called from my
application
2) I guess that I have to encrypt and sign all data which is being send over
the wire, or can I just use SSL. What is recommended?

Thanks

Henrik.

Nov 23 '05 #2
Hi Henrik,

How are doing on this? Does the information I provided in the former reply
helps you a little? If there're anything else we can help, please feel free
to post here.

Thanks,

Steven Cheng
Microsoft Online Support

Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)

--------------------
X-Tomcat-ID: 126424748
References: <u#**************@TK2MSFTNGP11.phx.gbl>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----=_NextPart_0001_0BC2D3D9"
Content-Transfer-Encoding: 7bit
From: st*****@online.microsoft.com (Steven Cheng[MSFT])
Organization: Microsoft
Date: Tue, 22 Nov 2005 06:58:33 GMT
Subject: RE: Web service security - .NET 2.0
X-Tomcat-NG: microsoft.public.dotnet.framework.webservices
Message-ID: <K#**************@TK2MSFTNGXA02.phx.gbl>
Newsgroups: microsoft.public.dotnet.framework.webservices
Lines: 162
Path: TK2MSFTNGXA02.phx.gbl
microsoft.public.dotnet.framework.webservices:1280 2
NNTP-Posting-Host: TOMCATIMPORT1 10.201.218.122

Hi Henrik,

Welcome to Webservice newsgroup.
Regarding on the authentication/security questions, here are some of my
understanding:

As for your scenario, I think the main requirement is provide an
authentication/identification mechanism to check and identify the
clientside caller. e.g using a custom database for storing client user
accounts.

Then, after we have such an authentication/identifying mechanism, what we
need to consider later is secure the webservice SOAP message contents
transmit over the internet. As for this task, I think we have the
following options:

1. Transport Layer security. A typical approach is using SSL/TLS, this
approach rely on the underlying transport layer(using http) and the
clientside /serverside support for security protocol( SSL/TLS...) . Also,
one drawback of this is that such transport layer security works only in
point to point scenario(no other intermediate proxy or agency between the
clientside and serverside...)

2. To address the problem in #1, we can instead use Message Layer security
which means we secure the Soap Xml message. This will overcome those
problems like platform dependent or mutiple intermediate proxy hop... And
the WSE component is just addressing on Message layer Security for .NET
webservice which conforms to WS-SecurityXXX specifications. Also, the
drawback is that doing message layer security require more custom works and
will somewhat make the SOAP message much larger than original.

Just some of my opinion.
Hope helps. Thanks,

Steven Cheng
Microsoft Online Support

Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)

--------------------
From: "Henrik Skak Pedersen" <sk**@community.nospam>
Subject: Web service security - .NET 2.0
Date: Mon, 21 Nov 2005 16:57:56 +0100
Lines: 16
X-Priority: 3
X-MSMail-Priority: Normal
X-Newsreader: Microsoft Outlook Express 6.00.2900.2180
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180
X-RFC2646: Format=Flowed; Original
Message-ID: <u#**************@TK2MSFTNGP11.phx.gbl>
Newsgroups: microsoft.public.dotnet.framework.webservices
NNTP-Posting-Host: 80.63.142.94
Path: TK2MSFTNGXA02.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFT NGP11.phx.gbl
microsoft.public.dotnet.framework.webservices:1279 2
X-Tomcat-NG: microsoft.public.dotnet.framework.webservices

Hi,

I have a set up where a windows client connects to a web service to retrieve
a license file. The client is a consumer product which is beeing distributed
to multiple locations.

1) I would like to restrict the web service so it only can be called from my
application
2) I guess that I have to encrypt and sign all data which is being send over
the wire, or can I just use SSL. What is recommended?

Thanks

Henrik.

Nov 24 '05 #3
Hi Steven,

Thank you very much for your reply. I have decided to use
UserNameOverTransportAssertion.

Thanks Henrik
"Steven Cheng[MSFT]" <st*****@online.microsoft.com> wrote in message
news:Hw*************@TK2MSFTNGXA02.phx.gbl...
Hi Henrik,

How are doing on this? Does the information I provided in the former reply
helps you a little? If there're anything else we can help, please feel
free
to post here.

Thanks,

Steven Cheng
Microsoft Online Support

Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)

--------------------
X-Tomcat-ID: 126424748
References: <u#**************@TK2MSFTNGP11.phx.gbl>
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="----=_NextPart_0001_0BC2D3D9"
Content-Transfer-Encoding: 7bit
From: st*****@online.microsoft.com (Steven Cheng[MSFT])
Organization: Microsoft
Date: Tue, 22 Nov 2005 06:58:33 GMT
Subject: RE: Web service security - .NET 2.0
X-Tomcat-NG: microsoft.public.dotnet.framework.webservices
Message-ID: <K#**************@TK2MSFTNGXA02.phx.gbl>
Newsgroups: microsoft.public.dotnet.framework.webservices
Lines: 162
Path: TK2MSFTNGXA02.phx.gbl
Xref: TK2MSFTNGXA02.phx.gbl
microsoft.public.dotnet.framework.webservices:1280 2
NNTP-Posting-Host: TOMCATIMPORT1 10.201.218.122

Hi Henrik,

Welcome to Webservice newsgroup.
Regarding on the authentication/security questions, here are some of my
understanding:

As for your scenario, I think the main requirement is provide an
authentication/identification mechanism to check and identify the
clientside caller. e.g using a custom database for storing client user
accounts.

Then, after we have such an authentication/identifying mechanism, what we
need to consider later is secure the webservice SOAP message contents
transmit over the internet. As for this task, I think we have the
following options:

1. Transport Layer security. A typical approach is using SSL/TLS, this
approach rely on the underlying transport layer(using http) and the
clientside /serverside support for security protocol( SSL/TLS...) . Also,
one drawback of this is that such transport layer security works only in
point to point scenario(no other intermediate proxy or agency between the
clientside and serverside...)

2. To address the problem in #1, we can instead use Message Layer security
which means we secure the Soap Xml message. This will overcome those
problems like platform dependent or mutiple intermediate proxy hop...
And
the WSE component is just addressing on Message layer Security for .NET
webservice which conforms to WS-SecurityXXX specifications. Also, the
drawback is that doing message layer security require more custom works
and
will somewhat make the SOAP message much larger than original.

Just some of my opinion.
Hope helps. Thanks,

Steven Cheng
Microsoft Online Support

Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)

--------------------
From: "Henrik Skak Pedersen" <sk**@community.nospam>
Subject: Web service security - .NET 2.0
Date: Mon, 21 Nov 2005 16:57:56 +0100
Lines: 16
X-Priority: 3
X-MSMail-Priority: Normal
X-Newsreader: Microsoft Outlook Express 6.00.2900.2180
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180
X-RFC2646: Format=Flowed; Original
Message-ID: <u#**************@TK2MSFTNGP11.phx.gbl>
Newsgroups: microsoft.public.dotnet.framework.webservices
NNTP-Posting-Host: 80.63.142.94
Path: TK2MSFTNGXA02.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFT NGP11.phx.gbl
Xref: TK2MSFTNGXA02.phx.gbl
microsoft.public.dotnet.framework.webservices:1279 2
X-Tomcat-NG: microsoft.public.dotnet.framework.webservices

Hi,

I have a set up where a windows client connects to a web service to
retrieve
a license file. The client is a consumer product which is beeing
distributed
to multiple locations.

1) I would like to restrict the web service so it only can be called from
my
application
2) I guess that I have to encrypt and sign all data which is being send
over
the wire, or can I just use SSL. What is recommended?

Thanks

Henrik.


Nov 24 '05 #4
Thanks for your followup Henrik,

Good luck!

Steven Cheng
Microsoft Online Support

Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)

--------------------
From: "Henrik Skak Pedersen" <sk**@community.nospam>
References: <u#**************@TK2MSFTNGP11.phx.gbl>
<K#**************@TK2MSFTNGXA02.phx.gbl>
<Hw*************@TK2MSFTNGXA02.phx.gbl>
Subject: Re: Web service security - .NET 2.0
Date: Thu, 24 Nov 2005 17:03:38 +0100
Lines: 134
X-Priority: 3
X-MSMail-Priority: Normal
X-Newsreader: Microsoft Outlook Express 6.00.2900.2180
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180
X-RFC2646: Format=Flowed; Original
Message-ID: <eD**************@TK2MSFTNGP15.phx.gbl>
Newsgroups: microsoft.public.dotnet.framework.webservices
NNTP-Posting-Host: 80.63.142.94
Path: TK2MSFTNGXA02.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFT NGP15.phx.gbl
microsoft.public.dotnet.framework.webservices:1283 2
X-Tomcat-NG: microsoft.public.dotnet.framework.webservices

Hi Steven,

Thank you very much for your reply. I have decided to use
UserNameOverTransportAssertion.

Thanks Henrik
"Steven Cheng[MSFT]" <st*****@online.microsoft.com> wrote in message
news:Hw*************@TK2MSFTNGXA02.phx.gbl...
Hi Henrik,

How are doing on this? Does the information I provided in the former reply
helps you a little? If there're anything else we can help, please feel
free
to post here.

Thanks,

Steven Cheng
Microsoft Online Support

Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)

--------------------
X-Tomcat-ID: 126424748
References: <u#**************@TK2MSFTNGP11.phx.gbl>
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="----=_NextPart_0001_0BC2D3D9"
Content-Transfer-Encoding: 7bit
From: st*****@online.microsoft.com (Steven Cheng[MSFT])
Organization: Microsoft
Date: Tue, 22 Nov 2005 06:58:33 GMT
Subject: RE: Web service security - .NET 2.0
X-Tomcat-NG: microsoft.public.dotnet.framework.webservices
Message-ID: <K#**************@TK2MSFTNGXA02.phx.gbl>
Newsgroups: microsoft.public.dotnet.framework.webservices
Lines: 162
Path: TK2MSFTNGXA02.phx.gbl
Xref: TK2MSFTNGXA02.phx.gbl
microsoft.public.dotnet.framework.webservices:1280 2
NNTP-Posting-Host: TOMCATIMPORT1 10.201.218.122

Hi Henrik,

Welcome to Webservice newsgroup.
Regarding on the authentication/security questions, here are some of my
understanding:

As for your scenario, I think the main requirement is provide an
authentication/identification mechanism to check and identify the
clientside caller. e.g using a custom database for storing client user
accounts.

Then, after we have such an authentication/identifying mechanism, what we
need to consider later is secure the webservice SOAP message contents
transmit over the internet. As for this task, I think we have the
following options:

1. Transport Layer security. A typical approach is using SSL/TLS, this
approach rely on the underlying transport layer(using http) and the
clientside /serverside support for security protocol( SSL/TLS...) . Also,
one drawback of this is that such transport layer security works only in
point to point scenario(no other intermediate proxy or agency between the
clientside and serverside...)

2. To address the problem in #1, we can instead use Message Layer security
which means we secure the Soap Xml message. This will overcome those
problems like platform dependent or mutiple intermediate proxy hop...
And
the WSE component is just addressing on Message layer Security for .NET
webservice which conforms to WS-SecurityXXX specifications. Also, the
drawback is that doing message layer security require more custom works
and
will somewhat make the SOAP message much larger than original.

Just some of my opinion.
Hope helps. Thanks,

Steven Cheng
Microsoft Online Support

Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)

--------------------
From: "Henrik Skak Pedersen" <sk**@community.nospam>
Subject: Web service security - .NET 2.0
Date: Mon, 21 Nov 2005 16:57:56 +0100
Lines: 16
X-Priority: 3
X-MSMail-Priority: Normal
X-Newsreader: Microsoft Outlook Express 6.00.2900.2180
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180
X-RFC2646: Format=Flowed; Original
Message-ID: <u#**************@TK2MSFTNGP11.phx.gbl>
Newsgroups: microsoft.public.dotnet.framework.webservices
NNTP-Posting-Host: 80.63.142.94
Path: TK2MSFTNGXA02.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFT NGP11.phx.gbl
Xref: TK2MSFTNGXA02.phx.gbl
microsoft.public.dotnet.framework.webservices:1279 2
X-Tomcat-NG: microsoft.public.dotnet.framework.webservices

Hi,

I have a set up where a windows client connects to a web service to
retrieve
a license file. The client is a consumer product which is beeing
distributed
to multiple locations.

1) I would like to restrict the web service so it only can be called from
my
application
2) I guess that I have to encrypt and sign all data which is being send
over
the wire, or can I just use SSL. What is recommended?

Thanks

Henrik.



Nov 25 '05 #5
New Post

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

2
Windows 2003 Service
by: cd | last post by:
Is there a specific process or permissions that must be granted to get a .NET (framework 1.4) Window Service to run properly on a Windows 2003 Server? I built a Windows Service to start two local...
.NET Framework
2
not associated with trusted SQL Server problem - windows service
by: epaetz | last post by:
I'm getting Not associated with a trusted SQL Server connection errors on a .Net windows service I wrote, when it's running on my application server. It's not a problem with mixed mode...
Microsoft SQL Server
3
Windows Service cannot create text files?
by: Amjad | last post by:
Hi, I just wrote a test Windows Service that creates a text file on startup (please see my code below). The file is never created. Protected Overrides Sub OnStart(ByVal args() As String) Dim...
Visual Basic .NET
5
User authentication through web service (follow up)
by: Buddy Ackerman | last post by:
My app is a .NET forms app that runs in the taskbar and periodically polls a web service. I have a client that wants the app to integrate with their Active Directory. They do not want the user to...
.NET Framework
4
.NET XML Web Service interop
by: Kevin Burton | last post by:
I found an article on calling a .NET web service from Java but it seemed to rely on GLUE and I was unable to find out how to download that software. There seems to be alot written on the Sun site,...
.NET Framework
16
problems starting a Network service
by: sunil | last post by:
Hi, I have a service written in c# that I need to run as a "Network Service". I am using a setup project to install the service. If I install the service in User's Personal Folder, I get the...
C# / C Sharp
33
Getting logged in user from a service?
by: JamesB | last post by:
I am writing a service that monitors when a particular app is started. Works, but I need to get the user who is currently logged in, and of course Environment.UserName returns the service logon...
C# / C Sharp
0
C# - soap exception when one web service calls another
by: yoozioo | last post by:
hello, This year I'm learning C# at school and now we focus on web services. I created and published a web service which contains a method that calls another web service written by my class...
.NET Framework
3
C# SOAP Authentication to non C# web service
by: Enda Manni | last post by:
Hi, I have a gSoap Web Service written using C++, it uses SOAP username and password authentication. I also have a C# form client consuming the web service, all this was working fine until...
C# / C Sharp
0
Basic Javascript concepts
by: aa123db | last post by:
Variable and constants Use var or let for variables and const fror constants. Var foo ='bar'; Let foo ='bar';const baz ='bar'; Functions function $name$ ($parameters$) { } ...
Javascript
0
Batch import of multiple excel files into the database
by: ryjfgjl | last post by:
If we have dozens or hundreds of excel to import into the database, if we use the excel import function provided by database editors such as navicat, it will be extremely tedious and time-consuming...
Data Management
0
Merging data from multiple Excel files
by: ryjfgjl | last post by:
In our work, we often receive Excel tables with data in the same format. If we want to analyze these data, it can be difficult to analyze them because the data is spread across multiple Excel files...
Data Management
0
BarryA
Navigating the Data Structures and Algorithms (DSA)
by: BarryA | last post by:
What are the essential steps and strategies outlined in the Data Structures and Algorithms (DSA) roadmap for aspiring data scientists? How can individuals effectively utilize this roadmap to progress...
Algorithms / Advanced Math
1
Looking to do Android software development, any suggestions? Is flutter better?
by: nemocccc | last post by:
hello, everyone, I want to develop a software for my android phone for daily needs, any suggestions?
General
1
Is that possible of reading the .csv file in column wise and the column have different lengths ?
by: Sonnysonu | last post by:
This is the data of csv file 1 2 3 1 2 3 1 2 3 1 2 3 2 3 2 3 3 the lengths should be different i have to store the data by column-wise with in the specific length. suppose the i have to...
C / C++
0
Changing the language in Windows 10
by: Hystou | last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can...
Windows Server
0
Oralloy
Problem With Comparison Operator <=> in G++
by: Oralloy | last post by:
Hello folks, I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>". The problem is that using the GNU compilers,...
C / C++
0
jinu1996
Maximizing Business Potential: The Nexus of Website Design and Digital Marketing
by: jinu1996 | last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven...
Online Marketing

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.

BYTES.COM © 2024
About Bytes
Terms Of Use
Privacy Policy
Sitemap
Advertise on Bytes:
Post a Job
Sponsored Posts
Platinum & Gold Sponsors
Hire Now!