rss
 
comment(s)

archives
J|F|M|A|M|J|J|A|S|O|N|D
(20##) 10 9 8 7 6 5 4 3 2 1 0 <
 
DesktopWeb FormText   WSE policy file securityWed, 16 Jun 2004 18:43:05 GMT # 

WSE policy files will let you specify how to secure your web services without mucking with the code. concentrate on the business logic ... blah blah. but suppose i am hosting my web service at a 3rd party site. seems like somebody could just replace the policy file with a new one that is less secure. while if i put the security code mixed in with the business code, then it gets the additional security protection provided to .NET assemblies. am i wrong about that being a trade-off? what about signing policy files themselves? maybe i sign the assembly with my private key and i also sign policy file modifications with the same private key. then the assembly can use the public key to verify the policy file. if somebody replaces it with their own file, then WSE will see that it is not properly signed and fail. if i need to modify it myself, then i just sign the new policy file and the running assembly will be able to pick it up. i really have no knowledge of WS-Policy ... basically just making this up ... somebody tell me i'm wrong