Login | Register   
Twitter
RSS Feed
Download our iPhone app
TODAY'S HEADLINES  |   ARTICLE ARCHIVE  |   FORUMS  |   TIP BANK
Browse DevX
Sign up for e-mail newsletters from DevX


advertisement
 

WSE 2.0: Get Your .NET Web Services Security Up to Spec : Page 3

Microsoft's Web Services Enhancements for .NET (WSE) 2.0 toolkit improves existing specifications such as WS-Security. This article examines its WS-Security improvements and shows how you can upgrade your Web services to WSE 2.0.


advertisement
User Authorization
The current WSE implementation provides the functionality to authorize a Web service call with the enclosed UsernameToken. To accomplish this, the SOAP message must be signed with the UsernameToken. When the WSE receives such a Web service call, it calls the Win32 API function LogonUser with the username and the password from the UsernameToken as parameters. If the call to this function is successful, the property Principal of the UsernameToken is initialized with the authorized user.

This property implements the interface System.Security.Principal.IPrincipal, which enables you to use the function IPrincipal.IsInRole to determine whether the user of the current request is in a specified role. To use this feature, you must send the password of the UsernameToken in plain text. But you can sign or encrypt the plain password with a SecurityToken. If you want to use this built-in WSE feature, you don't have to implement your own UsernameTokenManager because the WSE authenticates the request internally.

The following listing shows how you can authorize a Web service call against a windows group (The Web service call is processed only if the user of the current request is a member of the built-in windows group Administrators):



[WebMethod] public SignupResponse SignupForPDC(SignupRequest request) { if (IsInRole(@"BUILT IN\Administrators")) { return request.ProcessMessage(); } else { throw new UnauthorizedAccessException( "Your request was not authorized!"); } } private bool IsInRole(string role) { SecurityElementCollection elements = RequestSoapContext.Current.Security.Elements; foreach (ISecurityElement secElement in elements) { if (secElement is Signature) { Signature sig = (Signature)secElement; if ((sig.SignatureOptions & SignatureOptions.IncludeSoapBody) != 0) { SecurityToken sigToken = sig.SecurityToken; if (sigToken is UsernameToken) { UsernameToken token = (UsernameToken)sigToken; return token.Principal.IsInRole(role); } } } } return false; }

The previous listings showed some possibilities for using authentication and authorization within Web services. The WSE provides some of these features automatically. The following section shows how you can make your SOAP messages more confidential by using a digital signature.



Comment and Contribute

 

 

 

 

 


(Maximum characters: 1200). You have 1200 characters left.

 

 

Sitemap