Webservices and "pass through" security

T

Tom

Hi,

I am currently on a project where one site needs to send the user
credentials to another site, through web services.

Scenario:

* "User 1" will authenticate to "Site A" using NTLM ("Site A" provides
front-end presentation of data)
* "Site A" will request confidential information about "User 1" to "Site B"
("Site B" has a database of confidential data for each user), via web
service call

The developers of "Site B" are worried about "Site A" sending the wrong
credentials (i.e. wrong NT login ID), meaning that the visitor of "Site A"
could see someone else data...

How could we resolve this using standard .NET webservices?

How can we garantee to "Site B" that the visitor on "Site A" is really "User
1"?

Also, how can we ensure that only the webservice client from "Site A" can
access the webservice from B? We suggested IP address registration of Site A
servers with "Site B", but the developers think this is not enough.

Many thanks!!
Tom
 
G

Guest

yes there is a way of doing it....

i quote this from the WSE2.0(web serivce enhancement) document

Web services can be secured today, but limitations exist when it comes to
building scalable distributed applications based on Web services.
Specifically, it is difficult to build scalable applications that cross
security domains. Today, you can secure Web services by having the message
sent over a secure transport, such as Secure Sockets Layer (SSL), but that
only works when the communication is point-to-point. That is, if the SOAP
message must be routed to one or more intermediaries before reaching the
ultimate receiver and the entire route uses SSL, then the ultimate receiver
still has to communicate with the sender to authenticate the sender of the
SOAP message. That scenario is difficult to scale.

One of the ways WSE helps to build scalable distributed applications is by
providing an efficient and scalable mechanism to secure Web services. It uses
the mechanisms defined in the WS-Security specification to place security
credentials in the SOAP message itself. This is done by having a client
obtain security credentials from a source that is trusted by both the sender
and receiver. When a SOAP message sender sends a SOAP request, those security
credentials, which are generically known as security tokens, are then placed
in the SOAP message.
...............

for full article, please refer here:

http://msdn.microsoft.com/library/d...html/3c55ed70-6b66-4620-bba7-59c5b2f2191d.asp
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Site and WebService access 1
Single login/logout for two different websites: How? 1
WebServices not working 3
Share AppSettings configuration between a service Web and an asp.net web application 3
some stuff private 1
Anonymous User 3
Special Deployment required 3
asp.net 2.0 webservices deployment problem 1

Top