I really like posting from my little off-line blogging application so I have installed it on my desktop. Even without using the ink features, it is way better than posting online.
That is a big win for me, since I kept working on the program until there was nothing in it that bugged me anymore and now I really like it! Now if only I could draw a little smiley face right here. 🙂
Posted from BLInk!
(re my I give up on wse2 without x509 post) I followed another thought this morning and was able to get one form of encryption working although it’s not totally satisfactory.
By signing my requests with a username token (and policy automatically uses a derivedkey token of that) I can just use that token to encrypt the response. I was having a problem with this because my policy was missing one little piece of info – I hadn’t told the policy that the token used for signing was also supposed to be an identity token. So it just was failing and failing and I had decided that I was trying to to something that you weren’t supposed to do. And because I’m coding against a remote server, I had to create the policy manually (with the help of some copy and paste though.) Check this post for the reason why and a followup in the wse newsgroup for the thread I started titled “config tool and policy for remote server“ where Hervey Wilson explains that this is by design and is being reconsidered for wse3.
It’s a bad solution, but better than nothing. And it’s not great because the real roadblock is that implementing secureconversation is the thing that is truly difficult without the x509 web server certificate (or kerberos).
So I am replacing a non-WSE solution that did create an authorization ticket which I could use for a number of transactions, with a solution that will require the usernametoken to be authorized on every single request at the server. In the case of my client, this is an app that I own both ends of and the webserver and sqlserver are on the same box, so I am not going to make myself any more nuts over this – since the processing time is nominal and this is not like some banking application with millions of users.
But – let’s be clear here- this is a “better than nothing” solution however it is NOT a highly recommended one if you have any care about the quality of the security you are providing.
(that = my previous post…) After DevConnections, I am going to change the title of my wse talk from “WS-Security for Dummies with WSE2” to “WS-Security for Humans with WSE2“. Of course that is the kind of brilliant idea that pops into my head at 1am when I normally get to bed by 10 or 11.
Since I have no idea when the admins responsible for my client’s servers will put an x509 cert on the webserver, I have decided to set aside all of the work I have been doing to apply wse2 to one of their existing applications and get on with my life. I have learned a lot. I will continue to dig into WSE2 because it fascinates me and has opened up a huge door for me. But I don’t foresee any real-life implementations any time soon. Which I hate. This application demands that I be able to encrypt my responses. With WSE1, I could create my own “shared secret” key in the client app and the same one in the web services and then on the client end insert <decryptionkeyprovider> into the app.config to point to my decryption key. That was the recommended way but now it’s been deemed “too insecure“ and taken away. Although with WSE2, we have ws-trust and the ability to create and issue custom security context tokens from the web server, this method still requires a server certificate to make it possible for humans to implement it. I need to get on to other projects for this client as well as the myriad other commitments I am worried about falling behind on. In fantasyland I would love to just keep playing and playing with this. Oh well.
oh – I should mention the Kerberos token option. It’s not an option – since I can’t count on all of the clients being on windows xp.
The next meeting (our first speaker event!) of VTSDA is Tuesday 10/26. We have as our speaker Stan Eames, President and CEO of Synergy Software. See details about the speaker and presentation on the VTSDA website. The meeting is from 11:45 – 2:00. Lunch will be catered and is looking very yummy. The meeting fee is $8 for members and $15 for non-members. We will be raffling off the book Professoinal Software Development by Steve McConnell (author of Code Complete) which was donated by the publisher, Addison-Wesley, as well as a Symbol BarCode Reader for Compaq IPAQ Pocket PC’s donated by EQ2.
This meeting is sponsored by ProClarity.
some people subscribe to this on instinct-but it is great business advice that Sara Williams shared with a room full of women at Tech Ed 2003:
Posted from BLInk!
Sounds like a song doesn’t it? But it’s a new blog by Valerie Winberg of Minnesotta. Val is a C# programmer with a VB background. Thanks Avonelle for pointing her out!!
So I wonder if this could inspire a new tune from Band on the Runtime.
Posted from BLInk!
Last year Rory was just another [wierd] guy at the xml dev con. Then he wrote about seeing Chris Sells and Don Box in the men’s room. And he wrote and he wrote and he wrote. Now Rory is a Microsoft employee (in a dream job for him) and is back at XML DevCon only 1 year later (well not really one year since last years’ was in July) and whadya know, in case you haven’t heard yet, he’s writing hilarious stuff about the conference.
It’s interesting reading Rebecca Dias’ analysis of Tim Bray’s talk and the reading Rory’s. And so far Becky’s got the best shoes.
There are so many great postings from each session. Becky Dias, Shawn Morrissey, Chris Pels, Robert Hurlbut and John Gossman oh and Scott Hanselman, too! have been keeping us well informed and others probably too I haven’t read. So I am definitely feeling in the spirit, sitting here with some Chili Lime Tortilla chips, tomatilla salsa and a Corona, reading about Tim Bray’s, Chris Anderson’s, Don Box’s and even a talk that thrilled all of the gamers from the Dept of Defense.
Of course I wish I was there. Well, no I wish the whole conference was here! 🙂
Posted from BLInk!