> We are developing a distributed application, made up of several
> components installed on several machines talking to one another (via
> SOAP for example, ora via .NET remoting).
>
> Suppose those components expose some methods to the outside world:
> this rises two problems.
>
> 1) A malicious user could create its own client component and call a
> public method which, for example, adds 1000$ to a bank account.
> Authorized components legally use tha same method, but how do we
> distinguish between authorized and not-authorized callers? First idea
> coming on my mind: each method receives a parameter identifying the
> caller (an MD5 hash of username and password, for example). What do
> you think about it? I don't like this solution very much as it seems
> redundant to me, but I just can't come up with anything better.
>
> 2) Packet sniffers. Is an encrypted network layer the only solution?
>
> I know that assemblies can be signed: could this be helpful? How does
> the signing work?
>
> I know there's a lot of documentation on the net, I'km asking here
> because I got lost among documents...
>
> Thank you for any help.
>
> Best regards,
> Francesco.

> Yes, I was thinking about insiders too, however the concept is the
> same.
>
> We still haven't deployed anything, but I think we can safely suppose
> that our web services are hosted in IIS and that we have a component
> which manages authentication (I wouldn't use Windows accounts). Once a
> user is authenticated, I guess the problem is passing the info to the
> other components, which takes us back to passing a "security token"
> parameter to all methods. Or maybe a cookie. Am I missing something
> here?
>
> Thank you.
>