I have an application which exposes service which is consumed by the web application via Jquery POST and other applications (IPad, Android, etc). I have to create an authentication system which is highly safe but still fast enough.
I thought of making a token which will be passed to the application on login and which will be used for a specific amount of time (say 30 mins) post which it should refresh itself and not expire the session. So I thought of making a token being sent to service
and which will generate token. It will accept
1. UserId
2. Password (both encrypted with public key)
3. AppId
The server will decrypt the request by the private key and generate a token which will be valid for a specific time. Now since this would highly depend on the private key (which will be same and thus someone from within system can leak it and misuse it)
so i want the private key to be refreshed after a specific time (say 2 hrs).
Question -
1. How do refresh Private key and ensure that the currently issues tokens will not be rejected.
Imports System.Web.Services.Protocols
Imports Microsoft.VisualBasic
Public Class AuthenticationHeader
Inherits SoapHeader
#Region "Fields"
Public Password As String
Public Username As String
#End Region 'Fields
End Class
Then all my web service calls are as such:
<System.Web.Services.WebMethod(), _
SoapHeader("AuthHeader")> _
Public Function SomeWebSvcCall(id As String) As String
Dim result As String = "Default Message"
If IsAuthenticated() Then
Try
'main code here
Catch ex As Exception
result = ex.Message.ToString
End Try
Else
result = "NOT AUTHORIZED!"
End If
Return result
End Function
Please Mark as Answer if You Find Useful!
But don't expect me to do your job!
For WCF REST service, since it is based on plain HTTP, we can either use the built-in authentication methods provided by IIS such as windows , basic authenticaitons or use Federation/WIF to implement OAuth like authentication:
For your case, you want to refresh the decription private key at server-side, I think this will surely cause the existing issued public key become invalid. You need to define a certain negotiation method for the client and server to exchange and synchronize
public keys.
Ankit57
Member
2 Points
3 Posts
RESTFul WCF Service Authentication
Apr 30, 2012 05:52 PM|LINK
I have an application which exposes service which is consumed by the web application via Jquery POST and other applications (IPad, Android, etc). I have to create an authentication system which is highly safe but still fast enough.
I thought of making a token which will be passed to the application on login and which will be used for a specific amount of time (say 30 mins) post which it should refresh itself and not expire the session. So I thought of making a token being sent to service and which will generate token. It will accept
1. UserId
2. Password (both encrypted with public key)
3. AppId
The server will decrypt the request by the private key and generate a token which will be valid for a specific time. Now since this would highly depend on the private key (which will be same and thus someone from within system can leak it and misuse it) so i want the private key to be refreshed after a specific time (say 2 hrs).
Question -
1. How do refresh Private key and ensure that the currently issues tokens will not be rejected.
2. Is there a better way of doing it
UstesG
Contributor
2128 Points
459 Posts
Re: RESTFul WCF Service Authentication
Apr 30, 2012 06:41 PM|LINK
I use a custom soapheader like such:
Imports System.Web.Services.Protocols Imports Microsoft.VisualBasic Public Class AuthenticationHeader Inherits SoapHeader #Region "Fields" Public Password As String Public Username As String #End Region 'Fields End Class<System.Web.Services.WebMethod(), _ SoapHeader("AuthHeader")> _ Public Function SomeWebSvcCall(id As String) As String Dim result As String = "Default Message" If IsAuthenticated() Then Try 'main code here Catch ex As Exception result = ex.Message.ToString End Try Else result = "NOT AUTHORIZED!" End If Return result End FunctionBut don't expect me to do your job!
BrockAllen
All-Star
27574 Points
4912 Posts
MVP
Re: RESTFul WCF Service Authentication
Apr 30, 2012 07:12 PM|LINK
Why not use basic authentication over SSL?
DevelopMentor | http://www.develop.com
thinktecture | http://www.thinktecture.com/
Steven Cheng...
Contributor
4199 Points
548 Posts
Microsoft
Moderator
Re: RESTFul WCF Service Authentication
May 02, 2012 11:03 AM|LINK
For WCF REST service, since it is based on plain HTTP, we can either use the built-in authentication methods provided by IIS such as windows , basic authenticaitons or use Federation/WIF to implement OAuth like authentication:
#WCF (REST) Service With Federated Authentication
http://social.technet.microsoft.com/wiki/contents/articles/4067.wcf-rest-service-with-federated-authentication.aspx
#Using WIF for securing REST Service
http://zamd.net/2010/07/31/using-wif-for-securing-rest-service/
For your case, you want to refresh the decription private key at server-side, I think this will surely cause the existing issued public key become invalid. You need to define a certain negotiation method for the client and server to exchange and synchronize public keys.
Feedback to us
Microsoft One Code Framework