Web service security

[docs]

Hello

I am new to web services and I have a number of questions. I have read the WSE documentation and various other articles, but I am not sure that everything I need to do is covered. I have described the scenario below, I hope somebody can help. Thank you in advance, docs

I have to create a B2B web service, that returns a a different recordset depending on the authorization level of the same user. The request has to be authenticated and authorized, as well as be secure

To implement the authentication portion, I was thinking about using WSE, creating a user name and password header, and then use the user name/password to authenticate the request

Authentication is also necessary, because the same user Name/Password combination may act on behalf of different users that have different authorization levels. So, the requestor, should send also some kind of authorization ID. Depending on the authorization id, a different set of values (recordset) is returned by the web service. How do I implement this? is there some built in function in WSE? Do I have to create another header with the authorization info? can I pass an IPrincipal ticket

As far as security, how do I ensure that the password and user id are secured? can I only encrypt the header with the uid/pwd? Should I use SSL

Again, thank you for helping

 

[Sami Vaaraniemi]

Comments inline.

Hello,

I am new to web services and I have a number of questions. I have read

the WSE documentation and various other articles, but I am not sure that
everything I need to do is covered. I have described the scenario below, I
hope somebody can help. Thank you in advance, docs.

I have to create a B2B web service, that returns a a different recordset

depending on the authorization level of the same user. The request has to
be authenticated and authorized, as well as be secure.

To implement the authentication portion, I was thinking about using WSE,

creating a user name and password header, and then use the user
name/password to authenticate the request.

WSE covers your requirements so far.
http://www.devx.com/security/Article/18207/0/page/1 and
http://msdn.microsoft.com/webservic...l=/library/en-us/dnwebsrv/html/wssecdrill.asp
are both worth reading.

Authentication is also necessary, because the same user Name/Password

combination may act on behalf of different users that have different
authorization levels. So, the requestor, should send also some kind of
authorization ID. Depending on the authorization id, a different set of
values (recordset) is returned by the web service. How do I implement this?
is there some built in function in WSE? Do I have to create another header
with the authorization info? can I pass an IPrincipal ticket?
The way (role based) authorization usually works is that once the server has
validated the caller's credentials (= authentication), it figures out the
roles associated with this caller and attaches them to the authenticated
principal. The code that implements the request can then verify that the
principal has the role(s) required to make the call. In your case this means
the server would return a different recordset based on the role(s)
associated with the authenticated principal.

It seems to me that you are suggesting that the requestor would send an
authorization ID in the request. This would pose a security problem. How
would you prevent a malicious caller from sending an ID that he is not
supposed to use?

As far as security, how do I ensure that the password and user id are

secured? can I only encrypt the header with the uid/pwd? Should I use SSL?

With WSE, you can send the password hashed, in which case it'll be secure.
WSE 2.0 also supports encrypting the UsernameToken in which case both the
username and password will be encrypted. The MSDN article above shows how to
do this.

Using SSL would probably work too although I haven't tried it with WSE 2.0.
The main advantage of WSE security is that it is message-oriented while SSL
is transport based. This means that you can use WSE security e.g., if you
want to forward the message to another web service. SSL secures the message
only between the communication endpoints.

Sami