6/26/12 Web Servces Securty | Greg Renacker's Webog

3/4 www.rassoc.com/gregr/webog/2002/06/09/web-servces-securty-2/
Authentication and .NET Remoting - Greg Reinackers WebIog - Musings on just
about everything.
March 4, 2008 at 7:59 am
woys ro Jeol wirn SOAP neoJers.
Agreed, I guess my point (not very carefully stated) was that the headers would all have to look
different (see example above), and I must understand your service to craft the header.
Tne more complicoreJ porr is qoinq ro be wnor olqorirnm you cnose. For exomple, RSA
siqnorures ore very common riqnr now so rney nove o lor o[ supporr in Jovo, .NLT, erc. Bur i[ I
were ro cnoose PGP siqnorures, rnor woulJ couse more problems rnon cru[rinq up some SOAP
neoJers.
Loqin I oqree rnor ir isnr rne besr rninq in rne worlJ, bur you ore Jescribinq now WS-Securiry
onJ WS-License will wor| wirn Kerberos. Youll loqon somenow (MS Possporr or Projecr
Liberry), onJ rnen ro|e rnor binory ric|er onJ rronsporr ir wirn eocn requesr. Moybe you Jonr
li|e rnis ospecr o[ WS-Securiry :-)
Interesting point, I hadnt thought about that when I wrote this section. In this case, though, you can
log in with some other external mechanism (Passport/Liberty), then pass along the ticket with your
calls. I think this is subtly different that the web service itself exposing a login method, in that the
login cost can be amortized across all of your web services you intend to communicate with.
I must confess I havent done a lot of research into looking at how we will authenticate web service
calls with Passport/Liberty, so I might have more/different comments once I see that in more detail. ,-)
I srill Jonr oqree wirn your sel[-Jocumenrinq commenr. Bur I JescribeJ my reosons [or rnor
obove. Your 2 rounJ rrips orqumenr sounJs ro me li|e you loqon onJ qer o ro|en be[ore LVLRY
web service coll. I[ rnor is rne cose, rnen yes rnis will be very, very wosre[ul.
Well, I was assuming there would be 1 login call, and multiple service calls using that one token. But
heres the thing I think something like this makes much more complex on the client side. A typical
client will login, save the session (so he can save the potential round-trips later), and call the service he
wants to use. Sometime in the future, hes going to make another service call, so hes going to pass the
token along again. The problem is, the token (by its nature, in a secure system) is going to time out
eventually. So now the client must have logic to catch this case, call login again, and start working. It
sounds trivial, but its a pretty big hassle.
Compare this with the case where credentials are sent on every call. The client must still catch the
access denied case, but at least he doesnt have to retry at this point he knows its just not going to
work.
I olso oqree wirn your sessioneJ moJel on rne services orqumenr. Ive ocruolly seen securiry
sysrems wnere ir wos MORL expensive ro voliJore rne ro|en rnen jusr ro reournenricore :-)
All in oll I woulJ love ro see WS-Securiry beinq implemenreJ in more rne o[ rne mojor rool|irs.
Bur I olso [eor rne Joy rnor rnis noppens becouse people will srorr bloc| boxinq ir. AnJ I believe
well be boc| ro rne Joys o[ DCOM wnere wnen everyrninq wor|s, ir wor|s qreor. Bur wnen
somerninq breo|sboy Joes ir breo| :-)
I totally agree. And you couldnt be more right about DCOM!
One response so far
[...| by a few questions, I thought Id post about using my Basic and Digest authentication
modules with .NET remoting. As youre probably aware, .NET remoting does not include (out
of the box) [...|
Reply