T
thomas
Hi everybody,
Here is the scenario: webservice running on IIS with .Net Framework 2.0 and
a windows client application.
Requirements:
1. Only authenticated and authorized users shall be able to call web
methods.
2. User names or passwords shall never be sent over http.
Constraints:
3. Webservice cannot use Windows or LDAP authentication - users and their
passwords are stored in a SQL database.
4. The use of x.509 certificates is not an option - too expensive,
distribution impractical. Does this eliminate WSE? Perhaps, but this level
of security is NOT necessary.
Note: although that would be nice, communication does NOT have to be
encrypted. When really need, meaning when I have to start transmitting
credit card numbers etc, this perhaps could be accomplished using https.
Again, the solution does NOT have to be absolutely secure.
I, of course, have some solutions in mind, but I would appreciate if someone
who has REAL experience in implementing similar solutions could provide some
advice or share some thoughts.
Thank you,
Tomasz
p.s. I apologize for the crossposting, but realized that this might be a
better place to post this question
Here is the scenario: webservice running on IIS with .Net Framework 2.0 and
a windows client application.
Requirements:
1. Only authenticated and authorized users shall be able to call web
methods.
2. User names or passwords shall never be sent over http.
Constraints:
3. Webservice cannot use Windows or LDAP authentication - users and their
passwords are stored in a SQL database.
4. The use of x.509 certificates is not an option - too expensive,
distribution impractical. Does this eliminate WSE? Perhaps, but this level
of security is NOT necessary.
Note: although that would be nice, communication does NOT have to be
encrypted. When really need, meaning when I have to start transmitting
credit card numbers etc, this perhaps could be accomplished using https.
Again, the solution does NOT have to be absolutely secure.
I, of course, have some solutions in mind, but I would appreciate if someone
who has REAL experience in implementing similar solutions could provide some
advice or share some thoughts.
Thank you,
Tomasz
p.s. I apologize for the crossposting, but realized that this might be a
better place to post this question