A
Alek Davis
Sorry for cross-posting, but I am not quite sure where this question belongs
(maybe it should be addressed to some other group).
I have a Web service (IIS/ASP.NET) configured to run under Basic
authentication (anonymous access is disabled along with intergated Windows
and digest authentication). I have another server application (RPC server/NT
service) running on a different machine, which calls this Web service. The
client applications, which call the RPC server, must provide user's
credentials, which the RPC server will use for Basic authentication when
calling the Web service.
What I noticed is that after the first client provides valid credentials and
the RPC server successfully calls the Web service, any other client making
calls after that can provide invalid credentials (or no credentials at all),
but the RPC server can still call the Web service. It looks like the first
valid credentials are cached somewhere for a certain period of time, because
after inactivity (not sure how long, but it looks like half an hour or so),
the RPC server must reauthenticate (I also need to reauthenticate after
restarting the RPC server or starting another instance). This is a potential
security problem, so I would like to force reauthentication on every call to
prevent different clients from "piggybacking" on the credentials of the
first successful client, but I cannot figure out what I need to do. All of
the RPC calls are stateless, which means that any Web service proxy objects
go out of scope after the calls are complete. Even though my original
application involves a mix of C/C# code (using COM Interop), I can duplicate
the same behavior from a simple Windows Forms (C#) application calling a Web
service. Could someone explain why the consecutive calls use the cached
(whatever this means) Basic credentials? Is there a way to disable caching
of credentials between the Web service method calls? The closest info, which
looks more-or-less relevant, I was able to find, addresses a similar problem
of the Web Browser control (http://support.microsoft.com/?id=195192), but it
does not seem to help me solve the problem. Any hints? Is it possible to
clear "cached" credentials when making SOAP calls from a
SoapHttpClientProtocol-derived class?
Thanks,
Alek
(maybe it should be addressed to some other group).
I have a Web service (IIS/ASP.NET) configured to run under Basic
authentication (anonymous access is disabled along with intergated Windows
and digest authentication). I have another server application (RPC server/NT
service) running on a different machine, which calls this Web service. The
client applications, which call the RPC server, must provide user's
credentials, which the RPC server will use for Basic authentication when
calling the Web service.
What I noticed is that after the first client provides valid credentials and
the RPC server successfully calls the Web service, any other client making
calls after that can provide invalid credentials (or no credentials at all),
but the RPC server can still call the Web service. It looks like the first
valid credentials are cached somewhere for a certain period of time, because
after inactivity (not sure how long, but it looks like half an hour or so),
the RPC server must reauthenticate (I also need to reauthenticate after
restarting the RPC server or starting another instance). This is a potential
security problem, so I would like to force reauthentication on every call to
prevent different clients from "piggybacking" on the credentials of the
first successful client, but I cannot figure out what I need to do. All of
the RPC calls are stateless, which means that any Web service proxy objects
go out of scope after the calls are complete. Even though my original
application involves a mix of C/C# code (using COM Interop), I can duplicate
the same behavior from a simple Windows Forms (C#) application calling a Web
service. Could someone explain why the consecutive calls use the cached
(whatever this means) Basic credentials? Is there a way to disable caching
of credentials between the Web service method calls? The closest info, which
looks more-or-less relevant, I was able to find, addresses a similar problem
of the Web Browser control (http://support.microsoft.com/?id=195192), but it
does not seem to help me solve the problem. Any hints? Is it possible to
clear "cached" credentials when making SOAP calls from a
SoapHttpClientProtocol-derived class?
Thanks,
Alek