M
Marc Gravell
The problem:
I want to have a (.NET 2.0) smart-client talking to an (IIS, ASP.NET 2.0)
web-server to consume web-services. The authentication on the web-service is
bespoke (I mention this just for completeness; essentially, the web-service
is running (in configuration terms, at least) as anonymous - which is *not*
to say that the methods can be called arbitrarily!).
Anyway... (back to the point): the web-service needs to call down to the
database, and I would like to do this using NT security to avoid having to
store SQL (etc) credentials somewhere like (gasp) web.config. I would also
like to be able to run multiple isolated versions of the site on the same
server (differentiating by IP, port or host-header; it makes no real
difference), so I don't really want to GAC it, as this may(?) make it harder
to separate the different sites for upgrade etc (in reality, I would quite
like to run isolated "dev" and "test" environments on the same box in
different sand-boxes, and perhaps run my live "intranet" and "extranet"
environments (which have similar sites but different configurations) on the
same hardware to help spread the (uneven) load).
So: where to set security? If I use SQL security, I need to store the SQL
password somewhere. I could use the IIS identity against the application,
but this then means that if the site was compromised, malicious code could
connect to the db directly (am I being overly paranoid? . I could use
programattic NT impersonation, but this a: might be slower, and b: means I
need to have access to a password within the application, and c: if my app
can get the credentials, then so presumably can the malicious code... so I'm
no better than just using IIS identity, but I've made life hard for myself
in the process...
So: where would *you* set the identity?
(Historically, I have used COM+ components written in VB (running in an
application with configured identity) to achieve the same, but this limits
me to one site = one machine; I'd quite like to break away from this
limitation with .NET web-services).
Thanks in advance,
Marc
I want to have a (.NET 2.0) smart-client talking to an (IIS, ASP.NET 2.0)
web-server to consume web-services. The authentication on the web-service is
bespoke (I mention this just for completeness; essentially, the web-service
is running (in configuration terms, at least) as anonymous - which is *not*
to say that the methods can be called arbitrarily!).
Anyway... (back to the point): the web-service needs to call down to the
database, and I would like to do this using NT security to avoid having to
store SQL (etc) credentials somewhere like (gasp) web.config. I would also
like to be able to run multiple isolated versions of the site on the same
server (differentiating by IP, port or host-header; it makes no real
difference), so I don't really want to GAC it, as this may(?) make it harder
to separate the different sites for upgrade etc (in reality, I would quite
like to run isolated "dev" and "test" environments on the same box in
different sand-boxes, and perhaps run my live "intranet" and "extranet"
environments (which have similar sites but different configurations) on the
same hardware to help spread the (uneven) load).
So: where to set security? If I use SQL security, I need to store the SQL
password somewhere. I could use the IIS identity against the application,
but this then means that if the site was compromised, malicious code could
connect to the db directly (am I being overly paranoid? . I could use
programattic NT impersonation, but this a: might be slower, and b: means I
need to have access to a password within the application, and c: if my app
can get the credentials, then so presumably can the malicious code... so I'm
no better than just using IIS identity, but I've made life hard for myself
in the process...
So: where would *you* set the identity?
(Historically, I have used COM+ components written in VB (running in an
application with configured identity) to achieve the same, but this limits
me to one site = one machine; I'd quite like to break away from this
limitation with .NET web-services).
Thanks in advance,
Marc