StackOverflow2013

Note that there are some explanatory texts on larger screens.

plurals

PO
primarykey
Id
692508
data
AcceptedAnswerId
0
AnswerCount
0
ClosedDate
CommentCount
2
CommunityOwnedDate
CreationDate
2009-03-28T09:34:13.323
FavoriteCount
0
LastActivityDate
2011-03-22T20:50:13.350
LastEditDate
2011-03-22T20:50:13.350
LastEditorUserId
3827
OwnerUserId
3827
ParentId
683865
PostTypeId
2
Score
8
ViewCount
0
LastEditorDisplayName
eed3si9n
text
Body
Edit: It's been several years since I first wrote the answer and the list is getting old. There have been some wide adoption of web-enabled APIs and token-based trust relaying. I haven't read it, but <a href="http://msdn.microsoft.com/en-us/library/ms732362.aspx" rel="nofollow noreferrer">Windows Communication Foundation Security</a> would be a good place to start, if you're looking for something specific to WCF. Also keep your eyes open for what major players like <a href="http://developers.facebook.com/docs/authentication/" rel="nofollow noreferrer">Facebook</a>, <a href="http://code.google.com/apis/accounts/docs/GettingStarted.html" rel="nofollow noreferrer">Google</a>, and <a href="http://dev.twitter.com/pages/auth" rel="nofollow noreferrer">Twitter</a> are doing. They are using open protocols like <a href="http://openid.net/" rel="nofollow noreferrer">OpenID</a> and <a href="http://oauth.net/" rel="nofollow noreferrer">OAuth</a>. At first, OAuth looks complicated, but you should understand the mechanism. In my opinion earlier OAuth reinvents a lot of wheels that SSL has already solved, and leaves some security holes open. An interesting read is <a href="http://arstechnica.com/security/guides/2010/09/twitter-a-case-study-on-how-to-do-oauth-wrong.ars/" rel="nofollow noreferrer">Compromising Twitter's OAuth security system</a>. <a href="http://developers.facebook.com/docs/authentication/" rel="nofollow noreferrer">Facebook's OAuth 2.0 implementation</a> and <a href="http://code.google.com/apis/accounts/docs/OAuth2.html" rel="nofollow noreferrer">Google's OAuth 2.0 implementation</a> simplify many of these issues by using https where it makes sense. These are must reads. <img src="https://i.stack.imgur.com/HKq4Y.png" alt="enter image description here"> The basic concept around OAuth is trust relaying. You would want third-party developers to make apps against your API, but the end users cannot always trust these apps. Giving password to them, is like giving the keys to the kingdom. So the user types in the password into your UI, and your UI redirects to the third party with an access token. <hr> <a href="http://msdn.microsoft.com/en-us/library/aa302415.aspx" rel="nofollow noreferrer">Building Secure ASP.NET Applications: Authentication, Authorization, and Secure Communication</a> is a good introduction to ASP.NET's security models. You can skip over the details because much of the technology is now obsolete. A good overview specific to Web Services is <a href="http://msdn.microsoft.com/en-us/library/aa480545.aspx" rel="nofollow noreferrer">Web Service Security: Scenarios, Patterns, and Implementation Guidance for Web Services Enhancements (WSE) 3.0</a>. It says WSE, but basic concepts still remain the same. To get more details on WS-Security, read <a href="http://rads.stackoverflow.com/amzn/click/0672326515" rel="nofollow noreferrer">Securing Web Services with WS-Security: Demystifying WS-Security, WS-Policy, SAML, XML Signature, and XML Encryption</a>. <a href="http://ecx.images-amazon.com/images/I/51QPQ9QRZQL._SL500_AA240_.jpg" rel="nofollow noreferrer">Securing Web Services with WS-Security http://ecx.images-amazon.com/images/I/51QPQ9QRZQL._SL500_AA240_.jpg</a> After reading above, what really helped me was looking at existing implementations like <a href="http://docs.amazonwebservices.com/AmazonS3/2006-03-01/index.html?S3_Authentication.html" rel="nofollow noreferrer">Amazon S3's authentication</a>: <a href="http://docs.amazonwebservices.com/AmazonS3/2006-03-01/images/HMACAuthProcess_You.gif" rel="nofollow noreferrer">Amazon S3's authentication http://docs.amazonwebservices.com/AmazonS3/2006-03-01/images/HMACAuthProcess_You.gif</a> <a href="http://www.flickr.com/services/api/auth.spec.html" rel="nofollow noreferrer">Flickr Authentication API</a>: <blockquote> Each authentication frob is specific to a user and an application's api key, and can only be used with that key. Authentication frobs are valid for 60 minutes from the time it is created, or until the application calls flickr.auth.getToken, whichever is sooner. Only one authentication frob per application per user will be valid at any one time. Applications must deal with expired and invalid authentication frobs and know how to renew them. </blockquote> <a href="http://apiwiki.twitter.com/REST+API+Documentation" rel="nofollow noreferrer">Twitter REST API</a> <blockquote> Many Twitter API methods require authentication. All responses are relative to the context of the authenticating user. For example, an attempt to retrieve information on a protected user who is not friends with the requesting user will fail. For the time being, HTTP Basic Authentication is the only supported authentication scheme. When authenticating via Basic Auth, use your registered username or email address as the username component. Session cookies and parameter-based login are known to work but are not officially supported. The OAuth token-based authentication scheme will shortly be offered as an experimental beta release. </blockquote> So it's nice to know the complicated certs and PKI stuff, but the world seems to operate without it just fine.
Tags
Title
singulars
PostAcceptedAnswerId
1. This table or related slice is empty.
PostParentId
1. POWhat is some good WCF/web services security reading?
 singulars
 PostTypePostTypeId
 PTQuestion
PostTypePostTypeId
1. PTAnswer
UserLastEditorUserId
1. USEugene Yokota
UserOwnerUserId
1. USEugene Yokota
plurals
PostLinksPostIdRelatedPostId
1. This table or related slice is empty.
PostLinksRelatedPostIdPostId
1. This table or related slice is empty.
PostsAcceptedAnswerId
1. POWhat is some good WCF/web services security reading?
 singulars
 PostTypePostTypeId
 PTQuestion
PostsParentIdCreationDate
1. This table or related slice is empty.
VotesPostIdCreationDate
1. VO
 singulars
 PostPostId
 PO
 UserUserId
 This table or related slice is empty.
 VoteTypeVoteTypeId
 VTUpMod
2. VO
 singulars
 PostPostId
 PO
 UserUserId
 This table or related slice is empty.
 VoteTypeVoteTypeId
 VTUpMod
3. VO
 singulars
 PostPostId
 PO
 UserUserId
 This table or related slice is empty.
 VoteTypeVoteTypeId
 VTUpMod
CommentsPostId
1. CO+1 for a going the extra mile on this answer!
 singulars
 PostPostId
 PO
 UserUserId
 USmhenrixon
2. CO+1 just what I needed!
 singulars
 PostPostId
 PO
 UserUserId
 USTim

Querying!

Guidance

A row detail

Detail views are divided into sections. All the information in the data section comes from columns in the selected row. The other sections display data from other, related rows.

Related data can be related in a to-one or a to-many fashion. Captions of data related in a to-many fashion link to a list view showing a filtered view of the table.

Try moving around until you find a non-empty to-many entry and click on the label to get to one. You can move back to the root by clicking on the database name in the header.