Storing Credentials for Web Service Authentication

Topics: CAB & Smart Client Software Factory
Jan 9, 2006 at 11:33 AM
originally posted by: ProactiveLogic

Hi,

I would like to have a single login form launch when my CAB application launches, and then use the user name and password input there to use to authenticate against WSE 3.0 web services that are protected via username/password. Each of my loaded modules would need to access web services protected with these credentials.

Does anyone have any good ideas for loaded modules to gain access to these values? I know I can store them in a shared state in the rootWorkItem, but is there any better way? I have not come up with a better way than this, and this lets the username and password values be seen by all loaded modules.

The web services need to be secured, but the username password values should ideally be secured as well.

Any ideas?

Thanks,
Jon
Jan 10, 2006 at 3:42 AM
originally posted by: ProactiveLogic

I ended up making a custom authentication module, that derives from WorkItem. It does a custom prompt for credentials, which was discussed in other threads here (thanks for sharing!). I then created another service UserNameTokenBuilderService, that I instantiate from the custom authentication service and then manaually create and register the UserNameTokenBuilderService with the RootWorkItem. The UserNameTokenBuilderService stores the credentials in memory. Other Modules use this service by calling UserNameTokenBuilderService.SetSecurity(webservice), which sets up the UserName token and the WSE 3.0 policy.

This still leaves the credentials open to module developers at run-time, but it was the best I could think of for now.

Any thoughts?
Jan 11, 2006 at 7:55 AM
originally posted by: Robl

Could you guys point me to a good source for information about implementing username/password security for web services with WSE 3.0.

My basic questions are:

1. Do I pass the username/password only when getting a reference to the service or for each WebMethod call?

2. Are you using SSL tunnel to web service in order to protect username/password? If not, what method?

I've read articles and documentation for WSE but they usually go into complex "Kerbado, et. el." scenarios and I simply need help to implement a "relatively" secure user/pass so the public cannot freely access my services.

TIA,
Rob
Jan 11, 2006 at 8:35 AM
originally posted by: ProactiveLogic

I'll be writing an article on this over the next few days. I'll post a link.

But to answer your immediate questions...

1. Do I pass the username/password only when getting a reference to the service or for each WebMethod call?

- The soap message will have it for each call. You will need to set it up for each web service instanace you create.

2. Are you using SSL tunnel to web service in order to protect username/password? If not, what method?
- SSL, because I don't need to pass the message through intermediaries
Also, I don't like password digest because it means you have to be able to retrieve the shared secret (password) in plain text to pass it to WSE so that it can hash it and compare the hash vlaues. I like to store hashes in the database.

If I needed to route messages I would consider X.509 certificates, and some of the more complex scenarios the WSE group has put together.

Let me know if you have any further questions.
Jan 11, 2006 at 10:51 AM
originally posted by: Robl

Thanks, looking forward to your article