Blog Home  Sign In RSS 2.0 Atom 1.0 CDF  

  def Softwaremaker() :
         return "William Tay", "<Challenging Conventions />"

  knownType_Serialize, about = Softwaremaker()
 

Archive
<June 2013>
SunMonTueWedThuFriSat
2627282930311
2345678
9101112131415
16171819202122
23242526272829
30123456

Previous Blog | Current Blog
July, 2012 (1)
March, 2012 (1)
November, 2011 (1)
September, 2011 (1)
August, 2011 (1)
June, 2011 (1)
April, 2011 (2)
March, 2011 (2)
December, 2010 (3)
May, 2010 (3)
January, 2010 (1)
December, 2009 (1)
November, 2009 (2)
October, 2009 (1)
September, 2009 (1)
August, 2009 (1)
May, 2009 (2)
April, 2009 (2)
January, 2009 (2)
October, 2008 (1)
June, 2008 (1)
May, 2008 (1)
April, 2008 (3)
February, 2008 (6)
January, 2008 (2)
December, 2007 (1)
November, 2007 (2)
October, 2007 (3)
September, 2007 (3)
August, 2007 (6)
July, 2007 (1)
June, 2007 (2)
May, 2007 (6)
April, 2007 (2)
March, 2007 (3)
February, 2007 (5)
January, 2007 (4)
December, 2006 (2)
November, 2006 (2)
October, 2006 (5)
September, 2006 (15)
August, 2006 (6)
July, 2006 (3)
June, 2006 (5)
May, 2006 (7)
April, 2006 (2)
March, 2006 (9)
February, 2006 (6)
January, 2006 (13)
December, 2005 (4)
November, 2005 (10)
October, 2005 (12)
September, 2005 (15)
August, 2005 (8)
July, 2005 (13)
June, 2005 (13)
May, 2005 (7)
April, 2005 (12)
March, 2005 (17)
February, 2005 (20)
January, 2005 (19)
December, 2004 (19)
November, 2004 (27)
October, 2004 (15)
On this page
Real World UsernameToken Authentication Scenarios with WSE2.0
Categories
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
Navigation Links
Home
Site Home
Site Geographical Location
.NET Architecture Center - MSDN
IBM Redbooks
MSDN Web Services Center
Web Services Enchancements - MSDN
Web Services Interoperability - MSDN
Advanced Web Services - MSDN
DemoServers - MSDN Virtual Labs
WCF - Microsoft Technical Forums
WCF - Documentation
Plumbwork Orange
Pattern Share
GDN Workspaces
GDN CodeGallery Projects
WebServices.xml.com
MVP.XML Project
International Association of Software Architects
WSE FAQs
SSDL
MSDN Magazine
Web Services Journal (.NET J2EE XML)
www.choreology.com
Domain Specific Language Tools (VSTS 2005)
BabelFish at AltaVista
Mandarin Tools
My Aggregated RSS News Feeds
Berkeley Tech-Style Puzzles
Aggregated View of my articles
Softwaremaker Radio Blog
Affiliations
Contact
Email
Short Message Service (SMS)
Skype
Translations

Powered by: newtelligence dasBlog 1.9.6264.0

DasBlog 'Portal' theme

Disclaimer
The opinions expressed herein are my own personal opinions and do not represent my employer's view in anyway.

© Copyright 2013, William T 
 Thursday, November 04, 2004
« Service Orientation == Empowerment of th... | Main | Continuing: Real World UsernameToken Authentication Scenarios with WSE2.0 »
Real World UsernameToken Authentication Scenarios with WSE2.0

It sure is great to see many people beginning to experiment and use Web Services Enhancements (WSE) 2.0. Many people I speak to and come across today are still trying to grasp the security features of WSE.

I had blogged about this earlier in my old weblog host here. However, I will just summed it up for interested parties in this post.

...While the Documentation of WSE 2.0 teaches on how to authenticate a usernameToken from a client request against a database query [I print it here for your benefit]:

Protected Overrides Function AuthenticateToken(userName As UsernameToken) As String

'BLAH BLAH BLAH
'You are supposed to be reading from a returned Database query based on the UsernameToken.userName property.
'Then you are supposed to return the Password that is returned from the DB Query here

End Function

However, it doesnt touch on one of the best practices of Security of storing passwords into a database which is to hash userpasswords and then store it in the DB. So the question is how do we compare then ?

Bearing in mind the constraints of

  1. Passwords must be sent from the client in PlainText Form so the service can hash it and compare against the database
  2. Passwords cannot be sent in Hash Digest form as the service would have NO idea on how to re-engineer the actual password from the Hash Digest

I suggest a couple of alternatives to solve this problem....Most of what you choose will depend on very much how much control you have over the client

  1. SSL it [The ugliest, expensive and least scalable way...but requires the least coding work]
  2. Send the username, password in ClearText Via the usernameToken. However, encrypt this entire usernameToken before sending it over. The pipelines of WSE will handle the decryption for you. Once it reaches your service application, you will know what the ClearText password is. Hash it and then do a straight comparison of the Hash Digest against the one returned from the Database. This method assumes that the server has the Private Key portion of an asymmetric token such as a X509 Digital Certificate or even the service has a X509 Digital Certificate to begin with and it also assumes the knowledge of the Hash Algorithm method employed by the user DB.

While the documentation may be poor, the extensibility of the UsernameTokenManager is great ! I will reproduce snippets of option [2] for your benefit

[Calling Client]

Dim a As localhost.IndexWse = New localhost.IndexWse

'Send PlainText Password across so that the Service can hash Digest
'this value for comparison later
Dim ut As UsernameToken = New UsernameToken _
("TestAccount", "TestPassword", PasswordOption.SendPlainText)

'Include the usernameToken in the message so the Server can verify that
'this usernameToken actually came from you
a.RequestSoapContext.Security.Tokens.Add(ut)

'Blah - Find the Service Public Key of its X509 Cert so only the Service
'can decrypt and read this Token
Dim store As X509CertificateStore = _
X509CertificateStore.CurrentUserStore(X509CertificateStore.OtherPeople)
store.OpenRead()

Dim cert As X509Certificate = store.FindCertificateByKeyIdentifier _
(Convert.FromBase64String("bBwPfItvKp3b6TNDq+14qs58VJQ="))(0)

Dim tok As X509SecurityToken = New X509SecurityToken(cert)

'Sign and Encrypt everything in the message. Beware of the Payload !
a.RequestSoapContext.Security.Elements.Add(New MessageSignature(ut))
a.RequestSoapContext.Security.Elements.Add(New EncryptedData(tok, "#" & ut.Id))
a.RequestSoapContext.Security.Elements.Add(New EncryptedData(tok))

'VOILA
MessageBox.Show(a.HelloWorld)

[Service Side]

Public Class CustomUsernameTokenManager
Inherits UsernameTokenManager

Protected Overrides Function AuthenticateToken(ByVal token As UsernameToken) As String

Dim pw As String = token.Password

'Employ the same Hash function on the password that you deployed saving the passwords
'into the User DB
Dim hpw as string = userDBHash(pw)

'Compare the hpw result with the one returned from the oledbReader from the Database
'with the username as the Reference
'If it matches, return the same password from the Token
Return token.Password
'Else
Return "A Password that is impossible to GUESS"

End Function 'AuthenticateToken
End Class 'CustomUsernameTokenManager

If you check your diagnostics and the SOAP Message Tracing Files, you will notice that the entire usernameToken is encrypted and nothing is sent over in ClearText even tho the passwordOption is set to SendPlainText.

 |  | 
Thursday, November 04, 2004 5:46:54 AM (Malay Peninsula Standard Time, UTC+08:00)  #    Disclaimer 
  • Blog reactions

    		•