|
security
newsgroups
|
|||||||||||||||||||||||
|
|||||||||||||||||||||||
Securing Web ServicesqI want to secure a web service so only authorized client apps can use it.
Will using SSL with an encrypted username and password in the soap header do the job? I know you could potentially capture a post to a web service (or anything sent over the web). Will SSL mean you can't capture the stream to the web service and resend it? I am thinking if the post to the web service contains the username and password then it is useless unless SSL means it can't be captured and reused? Regards. The stream can not be replayed. Each SSL connection has a unique session key
so just replaying an old stream on a new connection will not work Remember to only send a hash of the password and not the full password. This means that you don't have to store actual passwords on the server. Regards, Andy Kendall Show quoteHide quote "Chris" <nospam@nospam.com> wrote in message news:ucJtBbHJHHA.1044@TK2MSFTNGP02.phx.gbl... >I want to secure a web service so only authorized client apps can use it. >Will using SSL with an encrypted username and password in the soap header >do the job? I know you could potentially capture a post to a web service >(or anything sent over the web). Will SSL mean you can't capture the stream >to the web service and resend it? I am thinking if the post to the web >service contains the username and password then it is useless unless SSL >means it can't be captured and reused? Regards. > I forgot to say, a replay attack on the same session is also avoided because
each packet has an incremental sequence number which is remembered by the SSL session. Show quoteHide quote <Andy> wrote in message news:uZrppoOJHHA.3916@TK2MSFTNGP02.phx.gbl... > The stream can not be replayed. Each SSL connection has a unique session > key so just replaying an old stream on a new connection will not work > > Remember to only send a hash of the password and not the full password. > This means that you don't have to store actual passwords on the server. > > > Regards, > > Andy Kendall > > > "Chris" <nospam@nospam.com> wrote in message > news:ucJtBbHJHHA.1044@TK2MSFTNGP02.phx.gbl... >>I want to secure a web service so only authorized client apps can use it. >>Will using SSL with an encrypted username and password in the soap header >>do the job? I know you could potentially capture a post to a web service >>(or anything sent over the web). Will SSL mean you can't capture the >>stream to the web service and resend it? I am thinking if the post to the >>web service contains the username and password then it is useless unless >>SSL means it can't be captured and reused? Regards. >> > > 
Other interesting topics
Impersonating when creating a process from inside a SQL Server Assembly
GetOwner and IdentityNotMappedException AES with SslStream SslStream and Certificates - Not Supported Exception. token elevation Recognising user by their Network login Role-based-Security... just switch it off Validate Signed XML against X.509 Certificate in .NET Validate Signed XML against X.509 Certificate in .NET How to retrieve the domain name for an AD user object? |
|||||||||||||||||||||||
