Chapter 15: Managing Identity with Windows CardSpace

Previous page
Table of content
Next page

image from book Download CD Content

Overview

After completing this chapter, you will be able to:

  • Describe the purpose of Windows CardSpace.

  • Use Windows CardSpace with a WCF service to provide claims-based security.

  • Summarize how you can employ claims-based security to implement a federated security scheme.

Security is an important, if not vital, feature of most commercial Web services and applications. Throughout this book you have seen some of the mechanisms that WCF provides to help you protect Web services and client applications. At the heart of these mechanisms is a scheme enabling a Web service to identify the user running the client application calling into the Web service. The means of identification is frequently a username and password, a certificate, or possibly a Kerberos token. After a Web service has established the identity of the user running the client application, it can then authorize or deny access to the operation requested by the user based on this identity. This use of identity to determine authorization has some interesting privacy implications–for example, if all a Web service needs to know is your age, do you really want to divulge your full identity? Consider the following real-world situations:

  • Being a football fan, I used to regularly visit the supporters club of my local football team. On matchdays, you had to be a member of the club to be allowed in (at other times, anyone could enter). All members were issued with membership cards, and on entering the club, I was obliged to show my card to the person on the door. As long as I had this card and could show it, I could get in. The door attendant was never actually interested in the details on the card (my name and membership number), just the fact that I actually had one.

  • If I pay for goods in a shop by using a credit card, the vendor does not need to know my full name, address, age, or even my inside leg measurement. She just needs to be confident that the credit card I am using is valid and that I have the necessary rights to use it (she will probably also do an initial visual check, just to make sure I am not using a credit card belonging to “Miss Jones” if I have a beard and a moustache, but on the Internet it is not yet possible to perform this type of validation). This scenario is actually a little more complicated than the previous one, as the vendor does not have access to the information needed to prove the validity of the card (strictly speaking, the door attendant at the football club cannot be totally sure that my membership card is not a forgery, but the quick examination performed by the door attendant usually provides an adequate level of security given the circumstances). Instead, the vendor asks the credit card company to verify my claim that this is my credit card, usually by asking me to type my pin number on a terminal connected to the credit card company’s computers. The vendor then waits for the credit card company to respond that (1) the card is genuine and valid, and (2) I know the pin for the credit card and therefore I am probably the real card holder rather than some imposter who found it lying in the street (we all know this is not foolproof, but it is the best mechanism that the credit card companies have at this point).

These are two examples of claims-based security. A claim is simply a facet of my identity that is relevant to the operation being performed. In the first case, the door attendant was able to verify my claim that I was a member of the club by seeing that I had a membership card; possession of the card was taken as sufficient proof of my identity. In the second case, the vendor required my claim as the valid holder of the credit card be verified by a trusted third party.

You can apply claims-based security to Web services as well as real-world situations. In contrast to a traditional identity-based system, in a claims-based system, the Web service does not necessarily need to know who I am, just that I should be allowed to use it. WCF enables you to integrate claims-based security into your services and client applications by using Windows CardSpace. This is the subject of this chapter.



Previous page
Table of content
Next page
Microsoft Windows Communication Foundation Step by Step
Microsoft Windows Communication Foundation Step by Step (Step By Step Developer Series)
ISBN: 0735623368
EAN: 2147483647
Year: 2007
Pages: 105
Authors: John Sharp
BUY ON AMAZON
Beginners Guide to DarkBASIC Game Programming (Premier Press Game Development)
Beginning Cryptography with Java
VBScript Programmers Reference
Secure Programming Cookbook for C and C++: Recipes for Cryptography, Authentication, Input Validation & More
.NET System Management Services
Python Programming for the Absolute Beginner, 3rd Edition
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy