none
WSE 3.0 Security RRS feed

  • Question

  • Hi All,

     

    I am developing a prototype which requires usernametoken to be stored once the client is authenticated.

    The client will call webservice after a secure authentication using WSE 3.0, from then onwards I want this token to be used to call other webservices also.

    The scenario is something like this, -

    Client calls WS-A. WS-A authenticates using usernametoken. Client gets confirmation and subsequent calls to WS-B, WS-C shouldn't be asked for authentication. Meaning after WS-A's form based authentication, the subsequent calls to WS-B, WS-C should be also automatically secured and webmethods should be allowed to be executed.

    Can we share a UsernameToken after authentication. Can someone shed some light in this scenario. ?

    One way I think is if we serialize the usernametoken in someway on server/database then the other WS-B / WS-C can understand the same client call by acknowleging the usernametoken which was serialized in database/filesystem.

    Could you share your experiences here.

    thanks.

    Paresh.

    Tuesday, October 3, 2006 2:18 PM

Answers

  • It sounds like what you want is to implement a Security Token Service (STS) in WSE that your clients and webservices share for authentication so that they can share security tokens.

    Here you'll find detailed information on using the STS functionality in WSE:
    http://msdn.microsoft.com/webservices/webservices/building/wse/default.aspx?pull=/library/en-us/dnpag2/html/wss_ch1_brokauthsts.asp

    There's also an STS implementation based on SAML tokens for WSE 3.0 on gotdotnet:
    http://www.gotdotnet.com/codegallery/codegallery.aspx?id=8da852b9-2c0d-4eb7-a2de-77222a4075f6

    Tuesday, October 3, 2006 3:49 PM

All replies

  • It sounds like what you want is to implement a Security Token Service (STS) in WSE that your clients and webservices share for authentication so that they can share security tokens.

    Here you'll find detailed information on using the STS functionality in WSE:
    http://msdn.microsoft.com/webservices/webservices/building/wse/default.aspx?pull=/library/en-us/dnpag2/html/wss_ch1_brokauthsts.asp

    There's also an STS implementation based on SAML tokens for WSE 3.0 on gotdotnet:
    http://www.gotdotnet.com/codegallery/codegallery.aspx?id=8da852b9-2c0d-4eb7-a2de-77222a4075f6

    Tuesday, October 3, 2006 3:49 PM
  •  

     

    You can also pass the credentials to the other webservices. The webservice has an standard attribute credentials

    Tuesday, October 3, 2006 8:08 PM
  • thanks Thomas,

     

    I was looking in the same direction. I will get back to you after looking at this mentioned url and application.

     

    thanks very much for the prompt and very good answer.

    -Paresh

    Thursday, October 5, 2006 2:37 AM