RSS Feed Partner Program
English flagChinese (Simplified) flagGerman flagFrench flagSpanish flagRussian flagHindi flagPolish flagHebrew flagIndonesian flag                                
By N2H
About      |       Articles      |      Services      |      Software      |      Contact

Progressive Security Designs Using Integrated Microsoft Technology

Industrial SharePoint Architecture With A Focus On Security And Governance

Secure SharePoint Code Design And Corporate Code Security Reviews

Pioneering SharePoint / Microsoft Security Articles And Research

Articles & Research

Latest Free SharePoint Software

ARB Security Solutions regularly releases free SharePoint software, including WebParts, Client Applications, Framework Extensions, and other Miscellaneous Components.
The most recent freeware is:

Title: Simple SharePoint Rollup WebPart
Date Published: 10/22/2009
Previous Two Free WebPart Releases:

SecureCenter For SharePoint

By SharePoint security integrators, for SharePoint security integrators.

SharePoint Security Assurance Program™

For externally facing SharePoint deployments, security is an acutely important deployment concern. Learn how through daily security scanning, you can ensure external business users and partners that they can collaborate in confidence!

Security Assurance WebPart:



Start Audit Process With The SharePoint Security Assurance Program™

Free Online SharePoint Security Tools

Remoting Security (Web Services)

A client that I am currently helping out was concerned that the web service that a previous developer had written for him had hard coded credentials for consumption, which obviously is poor since a better security practice is to retrieve credentials from the the requesting user or call the credentials from a secure source. He was wondering if indeed this was the case, and if so, what could be done to change the authentication scheme to something like NTLM authentication.

After examining the application source, I saw indeed that there was hard-coded credentials in the channel sink properties.

PLAIN TEXT
C#:
  1. IJobServer obj = (IJobServer)Activator.GetObject
  2. ( typeof(IJobServer),
  3. http://sharepoint/WebService/webpart.soap);
  4. ChannelServices.GetChannelSinkProperties(obj)
  5. ["username"] = "username";
  6. ChannelServices.GetChannelSinkProperties(obj)
  7. ["password"] = "password";
  8. ChannelServices.GetChannelSinkProperties(obj)
  9. ["domain"] = "domain";

The ChannelServices class is an important remoting class because it faciliates actions such as registering listening channels. For example:

PLAIN TEXT
C#:
  1. HttpChannel myJobChannel = new HttpChannel (5000);
  2. ChannelServices.RegisterChannel( myJobChannel );

The GetChannelSinkProperties method is nice when you have a transparent proxy reference in order to get back an IDictionary of the relevant properties. In this case the properties that are being returned are the credential properties, but it could really be anything:

PLAIN TEXT
C#:
  1. IDictionary channelProperties =
  2. ChannelServices.GetChannelSinkProperties(ProxyRef);
  3. channelProperties["propname"] = propertyValue;

Hard-coding the values is typically an acceptable practice if you passing credentials explicitly in clear-text however are secured from an SSL pipe standpoint. However, this was not currently the case for my client.

In order to fix this so that the hardcoded authentication wasen't being used, there were a few adjustements that had to be implemented. The first is to change the web.config file.

PLAIN TEXT
XML:
  1. <system.web>
  2. <authentication mode="Windows"/>
  3. <identity impersonate="true"/>
  4. </system.web>

Then in the code adjusting the consumed properties on the channel sink.

PLAIN TEXT
C#:
  1. IDictionary props = new Hashtable();
  2. props["userDefaultCredentials"] = true;
  3. HttpChannel channel = new HttpChannel (
  4. props,
  5. null,
  6. new SoapServerFormatterSinkProvider()
  7. );

Using the above code in the channel constructor specifies the use of the useDefaultCredentials property which would supply the default credentials at run time. Although I choose the route of configured this property in code, it could optionally be done through the use of a configuration file as demonstrated below.

PLAIN TEXT
XML:
  1. <channels>
  2. <channel ref="http" useDefaultCredentials="true"/>
  3. </channels>

The result of both impelementations is identical, so it is a developer choice which method is most appropriate for their purpose.

  • Share/Bookmark

Article Or Research Filed Under SharePoint| SharePoint Development.

No Comments »

No comments yet.

RSS feed for comments on this post. TrackBack URL

Leave a comment


  
w3c complaint W3C Compliant | Legal Notices | Privacy | Contact
© 2009 ARB Security Solutions, LLC. | Providing SharePoint Security Integration Since 2003 | Minneapolis, MN
ARB Security Solutions is not affiliated with or endorsed by Microsoft Corporation. SharePoint is a trademark of Microsoft Corporation.
Site Maintained By Adam Buenz - Microsoft MVP - SharePoint