"Henrik Skak Pedersen" <skak@community.nospam> wrote in message
news:egeJ75gSGHA.1728@TK2MSFTNGP11.phx.gbl...
> Hi,
>
> I have created a web service which I am calling from InfoPath, a WinForms
> application and an ASP.NET Web Application.
>
> I would now like to implement some security. The web service is only being
> used inside a corporate network, so I can use Windows-based security.
>
> How secure is it if I use:
>
> <authentication mode="Windows" />
>
> in my web.config, and then put a PrincipalPermission on each method?
>
> Is this the right way of doing it?
>
> Thanks
>
> Henrik.
>
>

> It will be security as long as you configure IIS to only allow
> authenticated users (via Basic, Digest and or IWA).
>
> I'm not a big fan of using the PrincipalPermission as it generally
> requires you to hard code stuff you should be putting in configuration
> (user and group names).  I like calling IsInRole directly so that you
> can supply the values at runtime.  PrincipalPermission just calls
> IsInRole under the hood anyway.  But, you can use it if you want.
>
> Joe K.
>
> "Henrik Skak Pedersen" <skak@community.nospam> wrote in message
> news:egeJ75gSGHA.1728@TK2MSFTNGP11.phx.gbl...
>
>> Hi,
>>
>> I have created a web service which I am calling from InfoPath, a
>> WinForms application and an ASP.NET Web Application.
>>
>> I would now like to implement some security. The web service is only
>> being used inside a corporate network, so I can use Windows-based
>> security.
>>
>> How secure is it if I use:
>>
>> <authentication mode="Windows" />
>>
>> in my web.config, and then put a PrincipalPermission on each method?
>>
>> Is this the right way of doing it?
>>
>> Thanks
>>
>> Henrik.
>>

"Dominick Baier [DevelopMentor]" <dbaier@pleasepleasenospamdevelop.com>
wrote in message news:4580be631985cf8c8182f2260ea50@news.microsoft.com...
> why not simply use a <authorization> element -
>
> at least with
> <deny users="?" />
>
> and if it is granular enough to set the authorization on file basis - use
> a location element for individual AuthZ settings for the .asmx files.
>
> ---------------------------------------
> Dominick Baier - DevelopMentor
> http://www.leastprivilege.com
>
>> It will be security as long as you configure IIS to only allow
>> authenticated users (via Basic, Digest and or IWA).
>>
>> I'm not a big fan of using the PrincipalPermission as it generally
>> requires you to hard code stuff you should be putting in configuration
>> (user and group names).  I like calling IsInRole directly so that you
>> can supply the values at runtime.  PrincipalPermission just calls
>> IsInRole under the hood anyway.  But, you can use it if you want.
>>
>> Joe K.
>>
>> "Henrik Skak Pedersen" <skak@community.nospam> wrote in message
>> news:egeJ75gSGHA.1728@TK2MSFTNGP11.phx.gbl...
>>
>>> Hi,
>>>
>>> I have created a web service which I am calling from InfoPath, a
>>> WinForms application and an ASP.NET Web Application.
>>>
>>> I would now like to implement some security. The web service is only
>>> being used inside a corporate network, so I can use Windows-based
>>> security.
>>>
>>> How secure is it if I use:
>>>
>>> <authentication mode="Windows" />
>>>
>>> in my web.config, and then put a PrincipalPermission on each method?
>>>
>>> Is this the right way of doing it?
>>>
>>> Thanks
>>>
>>> Henrik.
>>>
>
>

"Henrik Skak Pedersen" <skak@community.nospam> wrote in message
news:eQTTenhSGHA.4608@tk2msftngp13.phx.gbl...
> Thank you both for you replies. If I have to use Dominicks solution I have
> to refactor my web service, but that is of course an option.
>
> Are there any good examples available when web services are using method
> based windows authentication?
>
> Thanks
>
> Henrik
>
> I guess that I could refactor my web service
> "Dominick Baier [DevelopMentor]" <dbaier@pleasepleasenospamdevelop.com>
> wrote in message news:4580be631985cf8c8182f2260ea50@news.microsoft.com...
>> why not simply use a <authorization> element -
>>
>> at least with
>> <deny users="?" />
>>
>> and if it is granular enough to set the authorization on file basis - use
>> a location element for individual AuthZ settings for the .asmx files.
>>
>> ---------------------------------------
>> Dominick Baier - DevelopMentor
>> http://www.leastprivilege.com
>>
>>> It will be security as long as you configure IIS to only allow
>>> authenticated users (via Basic, Digest and or IWA).
>>>
>>> I'm not a big fan of using the PrincipalPermission as it generally
>>> requires you to hard code stuff you should be putting in configuration
>>> (user and group names).  I like calling IsInRole directly so that you
>>> can supply the values at runtime.  PrincipalPermission just calls
>>> IsInRole under the hood anyway.  But, you can use it if you want.
>>>
>>> Joe K.
>>>
>>> "Henrik Skak Pedersen" <skak@community.nospam> wrote in message
>>> news:egeJ75gSGHA.1728@TK2MSFTNGP11.phx.gbl...
>>>
>>>> Hi,
>>>>
>>>> I have created a web service which I am calling from InfoPath, a
>>>> WinForms application and an ASP.NET Web Application.
>>>>
>>>> I would now like to implement some security. The web service is only
>>>> being used inside a corporate network, so I can use Windows-based
>>>> security.
>>>>
>>>> How secure is it if I use:
>>>>
>>>> <authentication mode="Windows" />
>>>>
>>>> in my web.config, and then put a PrincipalPermission on each method?
>>>>
>>>> Is this the right way of doing it?
>>>>
>>>> Thanks
>>>>
>>>> Henrik.
>>>>
>>
>>
>
>

> If you have multiple methods in the same asmx file, you can't really
> use the location and authorization tags.  That is unfortunate as they
> are really clean, but so it goes.
>
> My suggestion is that instead of using the
> PrincipalPermissionAttribute, you can either create a
> PrincipalPermission and call its demand method OR you can do
> HttpContext.Current.User.IsInRole and use that in an if statement with
> your error condition of choice.  Both do about the same thing.
>
> My original comment about hard coding was directed towards the
> attribute, not the PrincipalPermission itself.  The problem with the
> attribute is that you have to supply the role or user name at compile
> time, and that sucks if your principal names are not abstract to your
> app but are actual Windows principal names.  It makes it nearly
> impossible to move your code between environments in that case.
>
> Anyway, I hope this gives you a good idea.
>
> Joe K.
>
> "Henrik Skak Pedersen" <skak@community.nospam> wrote in message
> news:eQTTenhSGHA.4608@tk2msftngp13.phx.gbl...
>
>> Thank you both for you replies. If I have to use Dominicks solution I
>> have to refactor my web service, but that is of course an option.
>>
>> Are there any good examples available when web services are using
>> method based windows authentication?
>>
>> Thanks
>>
>> Henrik
>>
>> I guess that I could refactor my web service
>> "Dominick Baier [DevelopMentor]"
>> <dbaier@pleasepleasenospamdevelop.com>
>> wrote in message
>> news:4580be631985cf8c8182f2260ea50@news.microsoft.com...
>>> why not simply use a <authorization> element -
>>>
>>> at least with
>>> <deny users="?" />
>>> and if it is granular enough to set the authorization on file basis
>>> - use a location element for individual AuthZ settings for the .asmx
>>> files.
>>>
>>> ---------------------------------------
>>> Dominick Baier - DevelopMentor
>>> http://www.leastprivilege.com
>>>> It will be security as long as you configure IIS to only allow
>>>> authenticated users (via Basic, Digest and or IWA).
>>>>
>>>> I'm not a big fan of using the PrincipalPermission as it generally
>>>> requires you to hard code stuff you should be putting in
>>>> configuration (user and group names).  I like calling IsInRole
>>>> directly so that you can supply the values at runtime.
>>>> PrincipalPermission just calls IsInRole under the hood anyway.
>>>> But, you can use it if you want.
>>>>
>>>> Joe K.
>>>>
>>>> "Henrik Skak Pedersen" <skak@community.nospam> wrote in message
>>>> news:egeJ75gSGHA.1728@TK2MSFTNGP11.phx.gbl...
>>>>
>>>>> Hi,
>>>>>
>>>>> I have created a web service which I am calling from InfoPath, a
>>>>> WinForms application and an ASP.NET Web Application.
>>>>>
>>>>> I would now like to implement some security. The web service is
>>>>> only being used inside a corporate network, so I can use
>>>>> Windows-based security.
>>>>>
>>>>> How secure is it if I use:
>>>>>
>>>>> <authentication mode="Windows" />
>>>>>
>>>>> in my web.config, and then put a PrincipalPermission on each
>>>>> method?
>>>>>
>>>>> Is this the right way of doing it?
>>>>>
>>>>> Thanks
>>>>>
>>>>> Henrik.
>>>>>

"Dominick Baier [DevelopMentor]" <dbaier@pleasepleasenospamdevelop.com>
wrote in message news:4580be631985f68c8186ec4935f20@news.microsoft.com...
> Hi,
> yeah - as i said - it that's granular enough -
> i would prefer IsInRole over PrincipalPermission - this is much more
> flexible and allows to also work with SIDs if this is necessary (maybe not
> now - but at some point in the future - e.g. to be independent of locale
> specific windows groups)
>
> ---------------------------------------
> Dominick Baier - DevelopMentor
> http://www.leastprivilege.com
>
>> If you have multiple methods in the same asmx file, you can't really
>> use the location and authorization tags.  That is unfortunate as they
>> are really clean, but so it goes.
>>
>> My suggestion is that instead of using the
>> PrincipalPermissionAttribute, you can either create a
>> PrincipalPermission and call its demand method OR you can do
>> HttpContext.Current.User.IsInRole and use that in an if statement with
>> your error condition of choice.  Both do about the same thing.
>>
>> My original comment about hard coding was directed towards the
>> attribute, not the PrincipalPermission itself.  The problem with the
>> attribute is that you have to supply the role or user name at compile
>> time, and that sucks if your principal names are not abstract to your
>> app but are actual Windows principal names.  It makes it nearly
>> impossible to move your code between environments in that case.
>>
>> Anyway, I hope this gives you a good idea.
>>
>> Joe K.
>>
>> "Henrik Skak Pedersen" <skak@community.nospam> wrote in message
>> news:eQTTenhSGHA.4608@tk2msftngp13.phx.gbl...
>>
>>> Thank you both for you replies. If I have to use Dominicks solution I
>>> have to refactor my web service, but that is of course an option.
>>>
>>> Are there any good examples available when web services are using
>>> method based windows authentication?
>>>
>>> Thanks
>>>
>>> Henrik
>>>
>>> I guess that I could refactor my web service
>>> "Dominick Baier [DevelopMentor]"
>>> <dbaier@pleasepleasenospamdevelop.com>
>>> wrote in message
>>> news:4580be631985cf8c8182f2260ea50@news.microsoft.com...
>>>> why not simply use a <authorization> element -
>>>>
>>>> at least with
>>>> <deny users="?" />
>>>> and if it is granular enough to set the authorization on file basis
>>>> - use a location element for individual AuthZ settings for the .asmx
>>>> files.
>>>>
>>>> ---------------------------------------
>>>> Dominick Baier - DevelopMentor
>>>> http://www.leastprivilege.com
>>>>> It will be security as long as you configure IIS to only allow
>>>>> authenticated users (via Basic, Digest and or IWA).
>>>>>
>>>>> I'm not a big fan of using the PrincipalPermission as it generally
>>>>> requires you to hard code stuff you should be putting in
>>>>> configuration (user and group names).  I like calling IsInRole
>>>>> directly so that you can supply the values at runtime.
>>>>> PrincipalPermission just calls IsInRole under the hood anyway.
>>>>> But, you can use it if you want.
>>>>>
>>>>> Joe K.
>>>>>
>>>>> "Henrik Skak Pedersen" <skak@community.nospam> wrote in message
>>>>> news:egeJ75gSGHA.1728@TK2MSFTNGP11.phx.gbl...
>>>>>
>>>>>> Hi,
>>>>>>
>>>>>> I have created a web service which I am calling from InfoPath, a
>>>>>> WinForms application and an ASP.NET Web Application.
>>>>>>
>>>>>> I would now like to implement some security. The web service is
>>>>>> only being used inside a corporate network, so I can use
>>>>>> Windows-based security.
>>>>>>
>>>>>> How secure is it if I use:
>>>>>>
>>>>>> <authentication mode="Windows" />
>>>>>>
>>>>>> in my web.config, and then put a PrincipalPermission on each
>>>>>> method?
>>>>>>
>>>>>> Is this the right way of doing it?
>>>>>>
>>>>>> Thanks
>>>>>>
>>>>>> Henrik.
>>>>>>
>
>