D'Arcy from Winnipeg
Solution Architecture, Business & Entrepreneurship, Microsoft, and Adoption

WSE, SSL, or Both?

Monday, August 18, 2008 11:41 PM


Ok, so here’s the situation:

Application calls a web service over SSL.

Here’s the question:

Do you use WSE to perform authorization, or do you roll your own auth mechanism (i.e. send a GUID down and pass it back and forth with the server managing the GUID list?)

I looked at the WSE samples from MSDN, and it just looked like way too much overhead for a message that is going to travel point to point and compared to how simple it would be to create, send, and manage a GUID list on the server for authentication…all while this gets sent over SSL.

But am I missing something here? Looking for thoughts, security guru’s!

D




Feedback

# re: WSE, SSL, or Both?

Hi,

We use UserTokenOverTransportSecurity (if I remember correctly).

SSL encrypts the comms, we also use client certificates to give some assurance that the comms line is authentic (i.e, we know everyone who has a valid cert). We then use a custom authentication provider (all in WSE) that validates the user token against our DB.

The GUID doesn't sound like it will solve anything. The thing is how do you assess that the GUID is valid on the initial request.

Paul. 8/19/2008 5:53 AM | Paul Kinlan

# re: WSE, SSL, or Both?

Thanks for the comment Paul.

So if I understand you correctly though, all the apps that use your service have a client cert that they use to validate that they indeed have access to the service?

The GUID won't exist on the initial request: username/password. But I get what you're saying: using WSE will ensure that *only* those that should have access to the service have access to it, as opposed to letting anyone in and then checking their validation at the door.

That makes sense...its not about securing the data, its about securing the access.

Thanks again.

D 8/19/2008 8:55 AM | D'Arcy from Winnipeg

# re: WSE, SSL, or Both?

As others have said SSL only tries to prevent others from seeing peoples data and is not an authentication method. This would prevent people from seeing someones username/password pass over the wire.

As Paul said you can use client certificates but they are harder to revoke than simply just removing the user from whatever system you are using to manage users.

I am not sure what you are trying to acheive with the guid idea myself so might need a bit more on that. I have seen webservices have a login method and once the user has authenticated that is stored in session state. Every other method exposed on the service has a check to make sure the user is authenticated. I personally don't like that method as it is easy to forget an auth check in a method and security is more of an AOP implementation. 8/19/2008 9:49 AM | Dave Woods

# re: WSE, SSL, or Both?

@Dave: The GUID idea is the mechanism for what you described in your last paragraph:

- User logs in to web service. Web service authenticates user and returns a GUID value to the client.

- User executes a web service method, passing the GUID value as a parameter

- Web Service validates the GUID against an internal list/table of active GUID values to allow/deny executing the method.

I see what you're saying about the requirement for every web method to need to do the check. In this scenario, we're talking about only a few web services though.

Thanks Dave!

D 8/19/2008 10:17 AM | D'Arcy from Winnipeg

# re: WSE, SSL, or Both?

The GUID idea can lead to issues.

If I can steal the GUID from another user then I can impersonate that user by calling any method with that GUID. Just because it is hard to steal the GUID does not mean it is not possible.

I would try to stear away from writing your own authentication method as the people who have written the other protocols have taken a lot of these things into consideration already of having a system that mitigates these kinds of attacks.

I have not implemented any secure WS services so I can not share my knowledge on how to do it unfortunately. I looked at the token stuff that Paul mentioned and it looks fairly promissing. I found a good article on it here: http://msdn.microsoft.com/en-us/library/aa480575.aspx 8/19/2008 11:14 AM | Dave Woods

# re: WSE, SSL, or Both?

Javascript! :D 8/19/2008 9:00 PM | Robz

# re: WSE, SSL, or Both?

JavaScript!! :D 8/19/2008 9:01 PM | Robz

Post a comment