468,727 Members | 1,403 Online
Bytes | Developer Community
New Post

Home Posts Topics Members FAQ

Post your question to a community of 468,727 developers. It's quick & easy.

Web service security - .NET 2.0

Hi,

I have a set up where a windows client connects to a web service to retrieve
a license file. The client is a consumer product which is beeing distributed
to multiple locations.

1) I would like to restrict the web service so it only can be called from my
application
2) I guess that I have to encrypt and sign all data which is being send over
the wire, or can I just use SSL. What is recommended?

Thanks

Henrik.
Nov 23 '05 #1
4 3571
Hi Henrik,

Welcome to Webservice newsgroup.
Regarding on the authentication/security questions, here are some of my
understanding:

As for your scenario, I think the main requirement is provide an
authentication/identification mechanism to check and identify the
clientside caller. e.g using a custom database for storing client user
accounts.

Then, after we have such an authentication/identifying mechanism, what we
need to consider later is secure the webservice SOAP message contents
transmit over the internet. As for this task, I think we have the
following options:

1. Transport Layer security. A typical approach is using SSL/TLS, this
approach rely on the underlying transport layer(using http) and the
clientside /serverside support for security protocol( SSL/TLS...) . Also,
one drawback of this is that such transport layer security works only in
point to point scenario(no other intermediate proxy or agency between the
clientside and serverside...)

2. To address the problem in #1, we can instead use Message Layer security
which means we secure the Soap Xml message. This will overcome those
problems like platform dependent or mutiple intermediate proxy hop... And
the WSE component is just addressing on Message layer Security for .NET
webservice which conforms to WS-SecurityXXX specifications. Also, the
drawback is that doing message layer security require more custom works and
will somewhat make the SOAP message much larger than original.

Just some of my opinion.
Hope helps. Thanks,

Steven Cheng
Microsoft Online Support

Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)

--------------------
From: "Henrik Skak Pedersen" <sk**@community.nospam>
Subject: Web service security - .NET 2.0
Date: Mon, 21 Nov 2005 16:57:56 +0100
Lines: 16
X-Priority: 3
X-MSMail-Priority: Normal
X-Newsreader: Microsoft Outlook Express 6.00.2900.2180
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180
X-RFC2646: Format=Flowed; Original
Message-ID: <u#**************@TK2MSFTNGP11.phx.gbl>
Newsgroups: microsoft.public.dotnet.framework.webservices
NNTP-Posting-Host: 80.63.142.94
Path: TK2MSFTNGXA02.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFT NGP11.phx.gbl
microsoft.public.dotnet.framework.webservices:1279 2
X-Tomcat-NG: microsoft.public.dotnet.framework.webservices

Hi,

I have a set up where a windows client connects to a web service to retrieve
a license file. The client is a consumer product which is beeing distributed
to multiple locations.

1) I would like to restrict the web service so it only can be called from my
application
2) I guess that I have to encrypt and sign all data which is being send over
the wire, or can I just use SSL. What is recommended?

Thanks

Henrik.

Nov 23 '05 #2
Hi Henrik,

How are doing on this? Does the information I provided in the former reply
helps you a little? If there're anything else we can help, please feel free
to post here.

Thanks,

Steven Cheng
Microsoft Online Support

Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)

--------------------
X-Tomcat-ID: 126424748
References: <u#**************@TK2MSFTNGP11.phx.gbl>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----=_NextPart_0001_0BC2D3D9"
Content-Transfer-Encoding: 7bit
From: st*****@online.microsoft.com (Steven Cheng[MSFT])
Organization: Microsoft
Date: Tue, 22 Nov 2005 06:58:33 GMT
Subject: RE: Web service security - .NET 2.0
X-Tomcat-NG: microsoft.public.dotnet.framework.webservices
Message-ID: <K#**************@TK2MSFTNGXA02.phx.gbl>
Newsgroups: microsoft.public.dotnet.framework.webservices
Lines: 162
Path: TK2MSFTNGXA02.phx.gbl
microsoft.public.dotnet.framework.webservices:1280 2
NNTP-Posting-Host: TOMCATIMPORT1 10.201.218.122

Hi Henrik,

Welcome to Webservice newsgroup.
Regarding on the authentication/security questions, here are some of my
understanding:

As for your scenario, I think the main requirement is provide an
authentication/identification mechanism to check and identify the
clientside caller. e.g using a custom database for storing client user
accounts.

Then, after we have such an authentication/identifying mechanism, what we
need to consider later is secure the webservice SOAP message contents
transmit over the internet. As for this task, I think we have the
following options:

1. Transport Layer security. A typical approach is using SSL/TLS, this
approach rely on the underlying transport layer(using http) and the
clientside /serverside support for security protocol( SSL/TLS...) . Also,
one drawback of this is that such transport layer security works only in
point to point scenario(no other intermediate proxy or agency between the
clientside and serverside...)

2. To address the problem in #1, we can instead use Message Layer security
which means we secure the Soap Xml message. This will overcome those
problems like platform dependent or mutiple intermediate proxy hop... And
the WSE component is just addressing on Message layer Security for .NET
webservice which conforms to WS-SecurityXXX specifications. Also, the
drawback is that doing message layer security require more custom works and
will somewhat make the SOAP message much larger than original.

Just some of my opinion.
Hope helps. Thanks,

Steven Cheng
Microsoft Online Support

Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)

--------------------
From: "Henrik Skak Pedersen" <sk**@community.nospam>
Subject: Web service security - .NET 2.0
Date: Mon, 21 Nov 2005 16:57:56 +0100
Lines: 16
X-Priority: 3
X-MSMail-Priority: Normal
X-Newsreader: Microsoft Outlook Express 6.00.2900.2180
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180
X-RFC2646: Format=Flowed; Original
Message-ID: <u#**************@TK2MSFTNGP11.phx.gbl>
Newsgroups: microsoft.public.dotnet.framework.webservices
NNTP-Posting-Host: 80.63.142.94
Path: TK2MSFTNGXA02.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFT NGP11.phx.gbl
microsoft.public.dotnet.framework.webservices:1279 2
X-Tomcat-NG: microsoft.public.dotnet.framework.webservices

Hi,

I have a set up where a windows client connects to a web service to retrieve
a license file. The client is a consumer product which is beeing distributed
to multiple locations.

1) I would like to restrict the web service so it only can be called from my
application
2) I guess that I have to encrypt and sign all data which is being send over
the wire, or can I just use SSL. What is recommended?

Thanks

Henrik.

Nov 24 '05 #3
Hi Steven,

Thank you very much for your reply. I have decided to use
UserNameOverTransportAssertion.

Thanks Henrik
"Steven Cheng[MSFT]" <st*****@online.microsoft.com> wrote in message
news:Hw*************@TK2MSFTNGXA02.phx.gbl...
Hi Henrik,

How are doing on this? Does the information I provided in the former reply
helps you a little? If there're anything else we can help, please feel
free
to post here.

Thanks,

Steven Cheng
Microsoft Online Support

Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)

--------------------
X-Tomcat-ID: 126424748
References: <u#**************@TK2MSFTNGP11.phx.gbl>
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="----=_NextPart_0001_0BC2D3D9"
Content-Transfer-Encoding: 7bit
From: st*****@online.microsoft.com (Steven Cheng[MSFT])
Organization: Microsoft
Date: Tue, 22 Nov 2005 06:58:33 GMT
Subject: RE: Web service security - .NET 2.0
X-Tomcat-NG: microsoft.public.dotnet.framework.webservices
Message-ID: <K#**************@TK2MSFTNGXA02.phx.gbl>
Newsgroups: microsoft.public.dotnet.framework.webservices
Lines: 162
Path: TK2MSFTNGXA02.phx.gbl
Xref: TK2MSFTNGXA02.phx.gbl
microsoft.public.dotnet.framework.webservices:1280 2
NNTP-Posting-Host: TOMCATIMPORT1 10.201.218.122

Hi Henrik,

Welcome to Webservice newsgroup.
Regarding on the authentication/security questions, here are some of my
understanding:

As for your scenario, I think the main requirement is provide an
authentication/identification mechanism to check and identify the
clientside caller. e.g using a custom database for storing client user
accounts.

Then, after we have such an authentication/identifying mechanism, what we
need to consider later is secure the webservice SOAP message contents
transmit over the internet. As for this task, I think we have the
following options:

1. Transport Layer security. A typical approach is using SSL/TLS, this
approach rely on the underlying transport layer(using http) and the
clientside /serverside support for security protocol( SSL/TLS...) . Also,
one drawback of this is that such transport layer security works only in
point to point scenario(no other intermediate proxy or agency between the
clientside and serverside...)

2. To address the problem in #1, we can instead use Message Layer security
which means we secure the Soap Xml message. This will overcome those
problems like platform dependent or mutiple intermediate proxy hop...
And
the WSE component is just addressing on Message layer Security for .NET
webservice which conforms to WS-SecurityXXX specifications. Also, the
drawback is that doing message layer security require more custom works
and
will somewhat make the SOAP message much larger than original.

Just some of my opinion.
Hope helps. Thanks,

Steven Cheng
Microsoft Online Support

Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)

--------------------
From: "Henrik Skak Pedersen" <sk**@community.nospam>
Subject: Web service security - .NET 2.0
Date: Mon, 21 Nov 2005 16:57:56 +0100
Lines: 16
X-Priority: 3
X-MSMail-Priority: Normal
X-Newsreader: Microsoft Outlook Express 6.00.2900.2180
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180
X-RFC2646: Format=Flowed; Original
Message-ID: <u#**************@TK2MSFTNGP11.phx.gbl>
Newsgroups: microsoft.public.dotnet.framework.webservices
NNTP-Posting-Host: 80.63.142.94
Path: TK2MSFTNGXA02.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFT NGP11.phx.gbl
Xref: TK2MSFTNGXA02.phx.gbl
microsoft.public.dotnet.framework.webservices:1279 2
X-Tomcat-NG: microsoft.public.dotnet.framework.webservices

Hi,

I have a set up where a windows client connects to a web service to
retrieve
a license file. The client is a consumer product which is beeing
distributed
to multiple locations.

1) I would like to restrict the web service so it only can be called from
my
application
2) I guess that I have to encrypt and sign all data which is being send
over
the wire, or can I just use SSL. What is recommended?

Thanks

Henrik.


Nov 24 '05 #4
Thanks for your followup Henrik,

Good luck!

Steven Cheng
Microsoft Online Support

Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)

--------------------
From: "Henrik Skak Pedersen" <sk**@community.nospam>
References: <u#**************@TK2MSFTNGP11.phx.gbl>
<K#**************@TK2MSFTNGXA02.phx.gbl>
<Hw*************@TK2MSFTNGXA02.phx.gbl>
Subject: Re: Web service security - .NET 2.0
Date: Thu, 24 Nov 2005 17:03:38 +0100
Lines: 134
X-Priority: 3
X-MSMail-Priority: Normal
X-Newsreader: Microsoft Outlook Express 6.00.2900.2180
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180
X-RFC2646: Format=Flowed; Original
Message-ID: <eD**************@TK2MSFTNGP15.phx.gbl>
Newsgroups: microsoft.public.dotnet.framework.webservices
NNTP-Posting-Host: 80.63.142.94
Path: TK2MSFTNGXA02.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFT NGP15.phx.gbl
microsoft.public.dotnet.framework.webservices:1283 2
X-Tomcat-NG: microsoft.public.dotnet.framework.webservices

Hi Steven,

Thank you very much for your reply. I have decided to use
UserNameOverTransportAssertion.

Thanks Henrik
"Steven Cheng[MSFT]" <st*****@online.microsoft.com> wrote in message
news:Hw*************@TK2MSFTNGXA02.phx.gbl...
Hi Henrik,

How are doing on this? Does the information I provided in the former reply
helps you a little? If there're anything else we can help, please feel
free
to post here.

Thanks,

Steven Cheng
Microsoft Online Support

Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)

--------------------
X-Tomcat-ID: 126424748
References: <u#**************@TK2MSFTNGP11.phx.gbl>
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="----=_NextPart_0001_0BC2D3D9"
Content-Transfer-Encoding: 7bit
From: st*****@online.microsoft.com (Steven Cheng[MSFT])
Organization: Microsoft
Date: Tue, 22 Nov 2005 06:58:33 GMT
Subject: RE: Web service security - .NET 2.0
X-Tomcat-NG: microsoft.public.dotnet.framework.webservices
Message-ID: <K#**************@TK2MSFTNGXA02.phx.gbl>
Newsgroups: microsoft.public.dotnet.framework.webservices
Lines: 162
Path: TK2MSFTNGXA02.phx.gbl
Xref: TK2MSFTNGXA02.phx.gbl
microsoft.public.dotnet.framework.webservices:1280 2
NNTP-Posting-Host: TOMCATIMPORT1 10.201.218.122

Hi Henrik,

Welcome to Webservice newsgroup.
Regarding on the authentication/security questions, here are some of my
understanding:

As for your scenario, I think the main requirement is provide an
authentication/identification mechanism to check and identify the
clientside caller. e.g using a custom database for storing client user
accounts.

Then, after we have such an authentication/identifying mechanism, what we
need to consider later is secure the webservice SOAP message contents
transmit over the internet. As for this task, I think we have the
following options:

1. Transport Layer security. A typical approach is using SSL/TLS, this
approach rely on the underlying transport layer(using http) and the
clientside /serverside support for security protocol( SSL/TLS...) . Also,
one drawback of this is that such transport layer security works only in
point to point scenario(no other intermediate proxy or agency between the
clientside and serverside...)

2. To address the problem in #1, we can instead use Message Layer security
which means we secure the Soap Xml message. This will overcome those
problems like platform dependent or mutiple intermediate proxy hop...
And
the WSE component is just addressing on Message layer Security for .NET
webservice which conforms to WS-SecurityXXX specifications. Also, the
drawback is that doing message layer security require more custom works
and
will somewhat make the SOAP message much larger than original.

Just some of my opinion.
Hope helps. Thanks,

Steven Cheng
Microsoft Online Support

Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)

--------------------
From: "Henrik Skak Pedersen" <sk**@community.nospam>
Subject: Web service security - .NET 2.0
Date: Mon, 21 Nov 2005 16:57:56 +0100
Lines: 16
X-Priority: 3
X-MSMail-Priority: Normal
X-Newsreader: Microsoft Outlook Express 6.00.2900.2180
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180
X-RFC2646: Format=Flowed; Original
Message-ID: <u#**************@TK2MSFTNGP11.phx.gbl>
Newsgroups: microsoft.public.dotnet.framework.webservices
NNTP-Posting-Host: 80.63.142.94
Path: TK2MSFTNGXA02.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFT NGP11.phx.gbl
Xref: TK2MSFTNGXA02.phx.gbl
microsoft.public.dotnet.framework.webservices:1279 2
X-Tomcat-NG: microsoft.public.dotnet.framework.webservices

Hi,

I have a set up where a windows client connects to a web service to
retrieve
a license file. The client is a consumer product which is beeing
distributed
to multiple locations.

1) I would like to restrict the web service so it only can be called from
my
application
2) I guess that I have to encrypt and sign all data which is being send
over
the wire, or can I just use SSL. What is recommended?

Thanks

Henrik.



Nov 25 '05 #5

This discussion thread is closed

Replies have been disabled for this discussion.

Similar topics

2 posts views Thread by cd | last post: by
4 posts views Thread by Kevin Burton | last post: by
16 posts views Thread by sunil | last post: by
33 posts views Thread by JamesB | last post: by
3 posts views Thread by Enda Manni | last post: by
1 post views Thread by CARIGAR | last post: by
9 posts views Thread by bryonone | last post: by
xarzu
1 post views Thread by xarzu | last post: by
By using this site, you agree to our Privacy Policy and Terms of Use.