Free, free, set them free. It may not be perfect, it may not be compliant with the specs, it may not even work for you, may not be what you've all expected and it involves setting up Active Directory and all this, but....
Here is (in the download section) my WS-Security authentication implementation with Kerberos and Username (cleartext) support - with full source code, licensed under a - slightly modified - BSD-style license (see below). Take it, play around with it, have fun and let me know what you think. I have done most of this work myself and if one thing is clear it's that I am not perfect. I built what I could understand from the specs (and I still can't make much sense out of much of the XML Encryption stuff), so there are bugs and maybe even some really embarrassing errors.
In addition to the WS-Security stuff, there are a few other fun extensions to play with.
Right in the security module is a whole bunch of attributes that will allow you to use Eiffel-style constraints on Web service arguments and the transaction piece demonstrates what this new Enterprise Services feature "Services Without Components" is good for (thanks to my friend Steve Swartz from the XML Enterprise Services team at Microsoft for helping me understand what this is all about). The code contains a wrapper that you can rip out and use elsewhere.
The same is true for my SSPI wrappers; the C++ portion of the security code has two managed/unmanaged pairs of classes (server and client) that you can use for making Kerberos work anywhere. I am sure that folks like Ingo Rammer (with whom I have a deep, but friendly and agreed-upon disagreement about the value of .NET Remoting) can grab this to do funky things with .NET Remoting channel sinks. For the Username authentication, there is an SSPI replacement for the LogonUser API (not requiring SE_TCB_NAME privileges) , just because it was easy to do. Both are callable from managed code.
Everyone in the Web Services camp should especially look at the KerberosWSDL.cs and UsernameWSDL.cs files of the security archive. If you haven't yet used ASP.NET's ServiceDescriptionFormatExtension and their surrounding infrastructure, you have barely scratched the surface of what ASP.NET can really do for you. Once you get into that stuff, you can unlock the true power of the ASP.NET Web Services design. The extensibility mechanisms that the folks put into ASP.NET are amazing to boot and even more amazing in terms of how easy it is to use them. It's a pity that this stuff is really underdocumented (to say the least).
I think that I may be getting some flak for not releasing the source code for the whole shebang, including the session extensions and management extensions. The story is simple: There are very good reasons to release the source for the security and transaction things for free (one is first kid on the block for an unfinished spec and the second is only useful under very limited circumstances) and I just don't see the same good reasons for the other two extensions, yet.
So, my "call to action" is: Look at the code, tell me what I can improve, rewrite, extend.... give changes back to me, if you don't mind.
There's lots of room for improvement. First, there are a few bugs that I know of. Then there is no good tool (I have one, but it really only works under debugger supervision) to quickly create service principal names etc., I am very lazy and use the XML DOM for everything (which is probably a terrible sin), and so on....
Ah, if our site doesn't work for you (I don't know how many people want this and our Internet feed bandwidth is nothing to be proud of), try our MSN Community. The downloadable bits are located in this folder.
Finally, some (a whole bunch of) folks may hate the addition (4) that we made to the BSD-style license. We rule out having our code incorporated into GPL'ed code (we explicitly allow our code to interact with GPL'ed code via XML/SOAP). That's not because we follow some Redmonish agenda, but because we are explicitly not following Stallman's agenda. We are giving the code out for free and don't want to enable anybody to force (directly or indirectly) somebody else an agenda down their throats that forces them to open up their intellectual property for stealing. I may not understand the GPL well enough to see that there is no risk for this (as some may say), but I also don't want to shell out the money for a lawyer to confirm this. We do what we do because we think it makes sense in this instance...
3:50:01 PM 
|
