|
security
newsgroups
|
|||||||||||||||||||||||
|
|||||||||||||||||||||||
code access security across the networkHi,
I have a client/server application where the server uses asp.net web services. is there any way I can use code signing, strong names or whaterver to verify the identity of the client code across the web service call? TIA Andy There is no reliable way to identify calling code over a network. The only
interaction with the calling code is data sent over the wire, and any data used to identify the caller can be spoofed by a malicious caller. Since attempting to verify calling code identity is essentially a waste of time, your efforts would be better placed on ensuring that your web service functions correctly even when invoked by an "unexpected" caller. For most applications, this would involve not trusting self-declared client user identity and re-validating all data on the server side. <ajf***@blueyonder.co.uk> wrote in message Show quoteHide quote news:1152632395.879802.205480@s13g2000cwa.googlegroups.com... > Hi, > > I have a client/server application where the server uses asp.net web > services. > > is there any way I can use code signing, strong names or whaterver to > verify the identity of the client code across the web service call? > > TIA > > Andy > There are also plenty of reliable authentication mechanisms that do work
with web services, such as all of the various HTTP auth protocols (basic, digest, integrated, client certificates, etc.) and message level protocols like WS-Security as implemented in WSE and WCF. You can certainly provide a reliable authorization framework using one of these to authorize your callers. You certainly want to validate all inputs carefully, as you should do with any public API. Joe K. -- Show quoteHide quoteJoe Kaplan-MS MVP Directory Services Programming Co-author of "The .NET Developer's Guide to Directory Services Programming" http://www.directoryprogramming.net -- "Nicole Calinoiu" <calinoiu REMOVETHIS AT gmail DOT com> wrote in message news:ea4ewIQpGHA.756@TK2MSFTNGP05.phx.gbl... > There is no reliable way to identify calling code over a network. The > only interaction with the calling code is data sent over the wire, and any > data used to identify the caller can be spoofed by a malicious caller. > Since attempting to verify calling code identity is essentially a waste of > time, your efforts would be better placed on ensuring that your web > service functions correctly even when invoked by an "unexpected" caller. > For most applications, this would involve not trusting self-declared > client user identity and re-validating all data on the server side. > > > <ajf***@blueyonder.co.uk> wrote in message > news:1152632395.879802.205480@s13g2000cwa.googlegroups.com... >> Hi, >> >> I have a client/server application where the server uses asp.net web >> services. >> >> is there any way I can use code signing, strong names or whaterver to >> verify the identity of the client code across the web service call? >> >> TIA >> >> Andy >> > > 
Other interesting topics
Windows authentication over remoting... possible?
Service, Requested registry access is not allowed Re: How to - PKCS#7 in c# ConnectionStrings encryption Creating New Process Under Alternate Credentials (createprocessasuser) Questions about RijndaelManaged and Rijndael How to grant and deny the access to a virtual directory? Restrict access to application from "outside" problem running application DPAPI based How to - PKCS#7 in c# |
|||||||||||||||||||||||
