WCF / ASMX :: Web Services: To Authenticate Sign Client Assembly?
Jul 21, 2010
I have an application that exposes a number of ASP.NET web services at an internet location. For security reasons, I want to be able to authenticate clients, and reject any that are not authorised. The authorised clients in question will be ASP.NET web applications,
but I do not have guaranteed access to their IIS configuration, nor to their local certificate stores, therefore the solution must not involve any of these items.
However, authorised clients, will always make calls to the web services using wrapper methods provided by an assembly that I
do have control over. My idea is to digitally sign that assembly, and use that signature as the basis for authenticating the client.For that to work, the assembly will need to be able to construct an X509Certificate object from itself, and to attach it to the call to the web service:
Then the web service must be able to compare the incoming request certificate to its own signing certificate to authenticate the client:
X509Certificate requestCert = new X509Certificate(Context.Request.ClientCertificate.Certificate);
X509Certificate signingCert = X509Certificate.CreateFromSignedFile(Assembly.GetExecutingAssembly().Location);[code]...
The documentation for the method doesn't help much, other than remarking that ASN.1 DER is the only certificate format supported by the method. if I am signing the assembly incorrectly, misunderstanding the method itself etc.? Or more generally if the approach I am taking will work or is flawed?
I have a fairly complex business application written in ASP.NET that is deployed on a hosted server. The site uses Forms Authentication, and there are about a dozen different roles defined. Employees and customers are both users of the application.
Now I have the requirement to develop a Windows Mobile client for the application that allows a very specialized set of tasks to be performed from a device, as opposed to a browser on a laptop. The client wants to increase productivity with this measure. Only employees will use this application.
I feel that it would make sense to re-use the security infrastructure that is already in place. The client does not need offline capability.
My thought is to deploy a set of web services to a folder of the existing site that only the new role "web service" has access to, and to use Forms Authentication (from a Windows Mobile 5/.Net 3.5 client).
I did see this question and I am aware of the limitations that Forms Authentication poses. Since security is not my primary motivator (I use SSL and can restrict access by IP address), but rather using existing user accounts and roles, my decision tree is somewhat different as well.
We currently have the code in WCF to sign the outgoing client requests' SOAP Body, however we need the same code for use with WSE 3.0. I can't find any examples of this.
I have an ASP.NET application that is using Signle Sign On using Active Directory Federation Services
When the user first logs into the application, Once they are "authenticated", their credentials remain active while their web browser is open.
Now, I want the "authentication" to "timeout" in 60 minutes. This way if they browse to another page after 60 minutes, they are prompted to "re-enter" their credentials again.
I know that in FormsAuthentication, you can "de-authenticate" someone by calling "FormsAuthentication.SignOut();" in the Session_End Event in Global.asax.
What is the best way for authenticating web methods in a web service? Is it right having authentication for every web method and verify user name and password for each web method? Is there a way to authenticate just once not for every web method? something like using sessions and etc?
I have a webservice that returns: <Index>test</Index>When it gets returned to a page & I view the source, it displays it as: <Index>test</Index>Is there a way I can send the element in its original form? I want to process the xml once it hits the page (actually flash will be interpreting the xml).
I need to send a X.509 client certificate to a web service in byte array (not attached to request). Besides the certificate, the caller will also send data and signed data. From the web service I can verify if the signature is ok but I don't know what is required to verify that the certificate is ok. I have the client certificate issuer CA trusted in Server (where the web service runs).
More specifically, how can I verify if a X.509 certificate itself is valid? I need to do it in web service not from IIS.
In my application, the client must sign (using a certificate) and send data to the server.My doubt is how should I do it?
To sign on the client side, I should use ActiveX right? My problem is that firefox doesn't support it.
Signing on the server side I have two options:
Save the private key on the server and use it when necessary (if the data is modified during the transaction it will sign false data)Send the private key when necessary (may comprise the key)
Despite using SSL, I'm not very confortable with any of the two options for signing on the server side...
i generated a private key like- keytool -genkey -alias mview -keypass mviewpass -keystore /keystore then exported it in form of certificate file as- -export -alias mview -keystore /home/d261733/keytool_keys/keystore -rfc -file testcert.cer this gives me two files sitting in c:
1) testcert.cer (which is the certificate)
2) keystore (which is private key)
Now i wan to sign an xml soap request like below in c# in .NET
A customer reported that our asmx web service is continually increasing in memory (mem usage as well as private bytes). We are able to reproduce the problem in our lab with Windows 2003 Server SP2 (fully patched) on some of the machines. The customer is using Windows 2008.
We created a Hello World web service targeting the 2.0 framework built under VS2005 SP1 and a test client that continues to call it. The memory increases steadily - approximately 40K per client request. If the test app is paused, the memory remains the same. When it is closed, the memory drops. Explicit calling of GC.Collect does not drop the memory.
We have run the memory profiler on the service and the leak is all native memory. We have uninstalled/re-installed the Framework on one of the machines but no difference. To our knowledge all of the security and IIS settings are not modified. We have compared app pool, default web site and virtual directory properties to machines that have no problem and they are identical.
What is Web services? What is Web services? How can I Transfer the data from server to client and client to server using XML. Need one simple Example program(C# web Application) ...
I need a book or two to get a good understanding of web services, starting from very basics, and going upto WCF. I've been using c# for 2 years and have intermediate level of experience with the language.
I have written some web services that I want to make available to others by subscription. The subscribers need to use the service from a specific domain / IP address and also authenticate with a user Id and password.
What exactly should I distribute to the subscriber so they can use the services, while exposing the least about my code?How can authenticate a consumer of services without always passing an Id / password for each service?
I learned from internet that webservices can be invoked only by HTTP whereas WCF can be invoked by HTTP,TCP,et., can i know the difference between them
I've created Web Services in .Net 3.5 & Consumed those Web Services in a Client Web Application. Now i want to Host the WebService in IIS 5.1. I'm very new to .net, I'm using VS 2010, Wndows XP Service Pack 3, IIS 5.1;
I have a wcf dataservice that talks to a silverlight client and a wcf service library that talks to a chat client.How can i get the two services to talk to each other?
ExchangeServiceBinding binding = new ExchangeServiceBinding(); binding.Credentials = new NetworkCredential(username, password); binding.Url = "http://servername/ews/exchange.asmx";
The above web services throws Unauthorized Access Error (Error : 401) for newly created users.I would like to know how to impersonate this user for accessing this exchange web services.