Hi Henrik,
How are doing on this? Does the information I provided in the former reply
helps you a little? If there're anything else we can help, please feel free
to post here.
Thanks,
Steven Cheng
Microsoft Online Support
Get Secure!
www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)
--------------------
X-Tomcat-ID: 126424748
References: <u#**************@TK2MSFTNGP11.phx.gbl>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----=_NextPart_0001_0BC2D3D9"
Content-Transfer-Encoding: 7bit
From:
st*****@online.microsoft.com (Steven Cheng[MSFT])
Organization: Microsoft
Date: Tue, 22 Nov 2005 06:58:33 GMT
Subject: RE: Web service security - .NET 2.0
X-Tomcat-NG: microsoft.public.dotnet.framework.webservices
Message-ID: <K#**************@TK2MSFTNGXA02.phx.gbl>
Newsgroups: microsoft.public.dotnet.framework.webservices
Lines: 162
Path: TK2MSFTNGXA02.phx.gbl
microsoft.public.dotnet.framework.webservices:1280 2
NNTP-Posting-Host: TOMCATIMPORT1 10.201.218.122
Hi Henrik,
Welcome to Webservice newsgroup.
Regarding on the authentication/security questions, here are some of my
understanding:
As for your scenario, I think the main requirement is provide an
authentication/identification mechanism to check and identify the
clientside caller. e.g using a custom database for storing client user
accounts.
Then, after we have such an authentication/identifying mechanism, what we
need to consider later is secure the webservice SOAP message contents
transmit over the internet. As for this task, I think we have the
following options:
1. Transport Layer security. A typical approach is using SSL/TLS, this
approach rely on the underlying transport layer(using http) and the
clientside /serverside support for security protocol( SSL/TLS...) . Also,
one drawback of this is that such transport layer security works only in
point to point scenario(no other intermediate proxy or agency between the
clientside and serverside...)
2. To address the problem in #1, we can instead use Message Layer security
which means we secure the Soap Xml message. This will overcome those
problems like platform dependent or mutiple intermediate proxy hop... And
the WSE component is just addressing on Message layer Security for .NET
webservice which conforms to WS-SecurityXXX specifications. Also, the
drawback is that doing message layer security require more custom works and
will somewhat make the SOAP message much larger than original.
Just some of my opinion.
Hope helps. Thanks,
Steven Cheng
Microsoft Online Support
Get Secure!
www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)
--------------------
From: "Henrik Skak Pedersen" <sk**@community.nospam>
Subject: Web service security - .NET 2.0
Date: Mon, 21 Nov 2005 16:57:56 +0100
Lines: 16
X-Priority: 3
X-MSMail-Priority: Normal
X-Newsreader: Microsoft Outlook Express 6.00.2900.2180
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180
X-RFC2646: Format=Flowed; Original
Message-ID: <u#**************@TK2MSFTNGP11.phx.gbl>
Newsgroups: microsoft.public.dotnet.framework.webservices
NNTP-Posting-Host: 80.63.142.94
Path: TK2MSFTNGXA02.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFT NGP11.phx.gbl
microsoft.public.dotnet.framework.webservices:1279 2
X-Tomcat-NG: microsoft.public.dotnet.framework.webservices
Hi,
I have a set up where a windows client connects to a web service to retrieve
a license file. The client is a consumer product which is beeing distributed
to multiple locations.
1) I would like to restrict the web service so it only can be called from my
application
2) I guess that I have to encrypt and sign all data which is being send over
the wire, or can I just use SSL. What is recommended?
Thanks
Henrik.