advertisement
Login | Register   
Twitter
RSS Feed
Download our iPhone app
TODAY'S HEADLINES  |   ARTICLE ARCHIVE  |   FORUMS  |   TIP BANK
Browse DevX
Sign up for e-mail newsletters from DevX

Is the SMB Protocol an Open Door to Network Intruders?
Cybersecurity and the Art of Misdirection
The Problems with Encrypting Data in the Cloud
In the Cloud, Encryption in Motion + Encryption at Rest = Not Good Enough
The Biggest Cybersecurity Story of the Week

advertisement
advertisement
 

WSE 2.0: Get Your .NET Web Services Security Up to Spec : Page 3

Microsoft's Web Services Enhancements for .NET (WSE) 2.0 toolkit improves existing specifications such as WS-Security. This article examines its WS-Security improvements and shows how you can upgrade your Web services to WSE 2.0.


by Klaus Aschenbrenner
Jan 5, 2004
Page 3 of 5
advertisement
User Authorization
The current WSE implementation provides the functionality to authorize a Web service call with the enclosed UsernameToken. To accomplish this, the SOAP message must be signed with the UsernameToken. When the WSE receives such a Web service call, it calls the Win32 API function LogonUser with the username and the password from the UsernameToken as parameters. If the call to this function is successful, the property Principal of the UsernameToken is initialized with the authorized user.

This property implements the interface System.Security.Principal.IPrincipal, which enables you to use the function IPrincipal.IsInRole to determine whether the user of the current request is in a specified role. To use this feature, you must send the password of the UsernameToken in plain text. But you can sign or encrypt the plain password with a SecurityToken. If you want to use this built-in WSE feature, you don't have to implement your own UsernameTokenManager because the WSE authenticates the request internally.

The following listing shows how you can authorize a Web service call against a windows group (The Web service call is processed only if the user of the current request is a member of the built-in windows group Administrators): 









[WebMethod]
public SignupResponse SignupForPDC(SignupRequest request)
{
   if (IsInRole(@"BUILT	IN\Administrators"))
   {
      return request.ProcessMessage();
   }
   else
   {
      throw new UnauthorizedAccessException(
         "Your request was not authorized!");
   }
}

private bool IsInRole(string role)
{
   SecurityElementCollection elements = 
      RequestSoapContext.Current.Security.Elements;

   foreach (ISecurityElement secElement in elements)
   {
      if (secElement is Signature)
      {
         Signature sig = (Signature)secElement;

         if ((sig.SignatureOptions & 
            SignatureOptions.IncludeSoapBody) != 0)
         {
            SecurityToken sigToken = sig.SecurityToken;

            if (sigToken is UsernameToken)
            {
               UsernameToken token = 
                  (UsernameToken)sigToken;
               return token.Principal.IsInRole(role);
            }
         }
      }
   }

   return false;
}

The previous listings showed some possibilities for using authentication and authorization within Web services. The WSE provides some of these features automatically. The following section shows how you can make your SOAP messages more confidential by using a digital signature.

« Previous Page 12345 Next Page »
Comment and Contribute

 

 

 

 

 


(Maximum characters: 1200). You have 1200 characters left.

 

 
advertisement
Sitemap