login      my ps      about      contact  



home instructor-led on-demand! screencasts blogs


Service Station, by Aaron Skonnard » WSE 2.0 UsernameToken Authentication Tidbits

WSE 2.0 UsernameToken Authentication Tidbits

Service Station, by Aaron Skonnard

Pluralsight Blogs

Syndication

Recent Posts

Tags

View more

Resources

Archives

WSE 2.0 provides two main authentication models: 

  • Windows authentication. WSE 2.0 automatically authenticates incoming UsernameTokens (via LogonUser) when the password is supplied in plain text (PasswordOptions.SendPlainText). You should only use this option if:
    • You encrypt the UsernameToken element
    • You're using a secure channel (e.g. SSL)
  • Custom authentication. WSE 2.0 makes it possible to implement a custom authentication scheme through a UsernameTokenManager-derived class (UTM). This allows you to store credentials in SQL Server, for example. It also has the following benefits:
    • You can send a hashed password (PasswordOptions.SendHashed). WSE will regenerate the hash from the password it gets from your UTM as proof-of-possession.
    • You can sign the message with a UsernameToken and avoid sending the password altogether (PasswordOptions.SendNone). WSE will verify the signature using the password it gets from your UTM as proof-of-possession.

You should always sign your SOAP messages when security is an issue. Hence, the last option (UTM + signature + SendNone) is probably the best fit. Unless you need to use Windows authentication for some reason, then you should use one of the first options (SendPlainText + encryption).

Posted Jul 02 2004, 02:29 PM by Aaron Skonnard

Comments

John wrote re: WSE 2.0 UsernameToken Authentication Tidbits
on 07-03-2004 1:42 AM
What are the options when you dont store users passwords in clear text on the server side.

I cannot see how I should implement custom authentication in that scenario by extending the UsernameTokenManager class. Unless I force my clients to hash/encrypt the password the same way as I do on the server side.
JosephCooney wrote Interesting WSE2 UsernameToken Authentication Discussion
on 07-13-2004 8:23 AM
Interesting WSE2 UsernameToken Authentication Discussion
Softwaremaker wrote re: WSE 2.0 UsernameToken Authentication Tidbits
on 09-29-2004 2:21 PM
John,

Check out the bits I blogged before on the option you have *IF* you want to send passwords in clear text so you *can* check against hashed digest values of the equivalent that is stored in your UserDB. It shows how to encrypt the entire usernametoken.
http://dotnetjunkies.com/WebLog/softwaremaker/archive/2004/06/10/16012.aspx

You may want to check out Hervey's take on the usernametoken as well here
http://www.dynamic-cast.com/mt-archives/000065.html
JCooney.NET wrote Interesting WSE2 UsernameToken Authentication Discussion
on 01-31-2005 5:38 AM
Sunk wrote re: WSE 2.0 UsernameToken Authentication Tidbits
on 06-07-2005 7:38 AM
when i use SendPlainText, the default setting is windows authroizing.
For iis,i unchecked anonymouse box,and check to use windows authroizing.But when i run the program, errors occurs:access denied.
Could you tell me what 's the problem?
Bradk wrote re: WSE 2.0 UsernameToken Authentication Tidbits
on 08-23-2005 6:44 AM
is there a way to extend the usernametoken to add additional elements ? For example, I would like to add a developerKey for our API, like Google has done here:

https://adwords.google.com/api/adwords/v2/CampaignService?wsdl

Add a Comment

(required)  
(optional)
(required)  
Remember Me?


home instructor-led training online training blogs

781.749.9238 (East Coast) | 310.251.9901 (West Coast) | Pluralsight, LLC , 185 Lincoln St., Suite 305, Hingham, MA 02043-1741

Copyright © 2008 Pluralsight LLC. All rights reserved.

designed by nukeation