Fog Creek Software
Discussion Board

Welcome! and rules

Joel on Software

Storing username/password for delegation?

Let's say I have a web service which delegates to another.

Webservice A requires (Windows) authentication, and thus knows who is calling it and can detemine if the calling user is authorized.

Webservice B only works with a specific username/password, known only to web service A.

What is the reccomended mechanism for handling this?

The best I've found so far is for webservice A to impersonate (with web.config settings) the user required for B, and saving the username/password in the registry with aspnet_setreg. But that doesn't allow for more sophisticated setups, say where webservice C requires a different password from B, or doesn't use integrated Windows authentication. It also requires a bit of machine setup (granting write permission to the ASP.NET temp directories).

Has anyone figured out how to use the .NET framework to handle this? I'd rather not implement a password manager.

Tuesday, November 11, 2003

*  Recent Topics

*  Fog Creek Home