login      my ps      about      contact  



home instructor-led on-demand! screencasts blogs


Service Station, by Aaron Skonnard » Avoiding Cleartext Passwords

Avoiding Cleartext Passwords

Service Station, by Aaron Skonnard

Pluralsight Blogs

Syndication

Recent Posts

Tags

View more

Resources

Archives

Keith's suggestion for avoiding cleartext passwords seems totally feasible to me. The question is what to use for scopeURI. One approach is to use the endpoint address, scoping the validator to all operations available at the endpoint. Another approach is to use the action, scoping the validator to the specific operation. Either seems reasonable but using action seems more appropriate to me for some reason.

When Keith says that WSE2 literally uses cleartext passwords, I think he means that the automated support for hashing/signatures relies on the cleartext password provided when instantiating a UsernameToken. However, it seems possible to implement Keith's technique using WSE2 today by supplying his notion of validator (for the password) when instantiating theUsernameToken on the client, and generating and returning the same validator from your UTM on the server. Then WSE2 will use the validator for hashing/signing instead of the cleartext password. I'm itch'in to try this now.

Posted Jul 05 2004, 08:41 AM by Aaron Skonnard

Comments

Keith Brown wrote re: Avoiding Cleartext Passwords
on 07-05-2004 9:14 AM
That's what I meant, yes. You can absolutely implement my scheme on top of WSE. I just wish that the original spec had considered this so that the WSE guys would have felt comfortable building in support for something like this from the get go.
Marvin Smit wrote re: Avoiding Cleartext Passwords
on 07-05-2004 9:17 AM
[quote]
Either seems reasonable but using action seems more appropriate to me for some reason.
[/quote]

I would take the 'action' option since it would more explicitly scope it to the action being performed. (one endpoint, many services, different security schemes possible?)

Looking at current implementations, the 'action' level security granularity is preferred by most.

my 2ct worth
JosephCooney wrote Interesting WSE2 UsernameToken Authentication Discussion
on 07-13-2004 8:23 AM
Interesting WSE2 UsernameToken Authentication Discussion
JCooney.NET wrote Interesting WSE2 UsernameToken Authentication Discussion
on 01-31-2005 5:38 AM

Add a Comment

(required)  
(optional)
(required)  
Remember Me?


home instructor-led training online training blogs

781.749.9238 (East Coast) | 310.251.9901 (West Coast) | Pluralsight, LLC , 185 Lincoln St., Suite 305, Hingham, MA 02043-1741

Copyright © 2008 Pluralsight LLC. All rights reserved.

designed by nukeation