WS-Security vs. IIS authentication and trust boundaries

[Morten Overgaard]

Hi Sirs.

When using WS-Security instead of IIS authentication I see a potential
problem letting ALL people access my webService. ie. if I have a little bug
in the code that checks for validity of the user I'm really exposing
my-self.

If using IIS authentication I'm sure that only IIS authenticated users are
allowed access to my webService. So doesen't WS-Security and IIS security
come hand in hand or am I missing something here.?


Regards Morten

 

[WJ]

If using IIS authentication I'm sure that only IIS authenticated users are
allowed access to my webService. So doesen't WS-Security and IIS security
come hand in hand or am I missing something here.?

Assume that you are using Microsoft technology then yes, A Webservice is
controlled by MS/UDDI server, which is IIS-6. You can then treat or
configure your webservice security requirements just like an ordinary web
application under IIS-6 server.

John

 

[Paul Glavich [MVP ASP.NET]]

WS-Security (and all the Ws-* standards) are bigger than just Microsoft.
Integrated security is fine when talking windows to windows in your
intranet. Making a standard security mechanism for your web service on the
wider internet is another kettle of fish. WS-Security also has a lot more
flexibility in terms of customisation than IIS does.