1 / 26

Securing Web Services Using Microsoft Web Services Enhancements 1.0

Securing Web Services Using Microsoft Web Services Enhancements 1.0. Petr PALAS PortSight Software Architect petrp@portsight.com. Agenda. What is WSE and its Relationship to GXA Standards Currently Supported in WSE WSE Architecture Implementation of WS-Security in WSE Demo of Using WSE

kitra
Download Presentation

Securing Web Services Using Microsoft Web Services Enhancements 1.0

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Securing Web Services Using Microsoft Web Services Enhancements 1.0 Petr PALAS PortSight Software Architect petrp@portsight.com

  2. Agenda • What is WSE and its Relationship to GXA • Standards Currently Supported in WSE • WSE Architecture • Implementation of WS-Security in WSE • Demo of Using WSE • Future Standards

  3. Quick Survey Do you use Microsoft.NET platform?

  4. What is WSE and Its Relationship to GXA • Microsoft Web Services Enhancements (1.0) • Replaces Microsoft WSDK • Free to download and supported by Microsoft • It includes samples, documentation and tools • .NET library for easy use of higher-level WS standards from GXA • It will be updated according to GXA standards

  5. Standards currently supported • Emerging standards in WSE: • WS-Security(Security Credentials, Digital Signing, Encryption) • WS-Routing • WS-Attachments and DIME • Other functionality: • Writing your own filters • Diagnostic features

  6. Security Features in WSE • Digital signature of a SOAP message • X.509 certificates / username+password / custom binary token • Encryption of a SOAP message • X.509 / shared secret / custom binary token • Authentication using security credentials • X.509 / username+password / custom binary token

  7. Quick Survey Have you already tried to secure your Web Service in any way?

  8. WSE Architecture • Additional information is added to the SOAP headers using filters • Built-in filters: • Trace Filter (diagnostics) • Security Filter (WS-Security) • Timestamp Filter (WS-Security) • Referral Filter (used for WS-Routing) • Routing Filter (WS-Routing) • You can write your own filters

  9. WSE Filters Source: http://msdn.microsoft.com

  10. WSE Filter Pipeline Source: http://msdn.microsoft.com

  11. How To Use WSE (1) • Create client and server projects in VS.NET • Add reference to Microsoft.Web.Services.dll library to both server and client • Add following lines to both server and client code (VB.NET): Imports Microsoft.Web.Services Imports Microsoft.Web.Services.Security

  12. How To Use WSE (2) • Edit web.config (see documentation) on server • Write and compile server code • Add Web Reference to the client program • Edit generated proxy class – it must inherit from Microsoft.Web.Services.WebServicesClientProtocol • Write and run client code • You can use WSE 1.0 Settings (tool integrated into VS.NET) to edit the configuration files

  13. Adding Security Credentials • Without WSE: Use Credentials property of the proxy class (transferred on the transport layer) • may be lost at intermediaries  • With WSE (WS-Security): Add credentials to the SOAP message header • Supported types of security credentials: • X.509 Certificate • User name and password (none/plain-text/hashed) • Custom-built binary token

  14. DEMO – Authentication and Signing a Message user name, password (user token) signature (using user name and password) timestamp check signature check timestamp get user token return valid password using custom PasswordProvider class if provided password is the same as the one from the PasswordProvider, then execute the method

  15. DEMO Code - Overview CLIENT UserToken RequestContext TimeStamp Signature SERVER PasswordProvider RequestContext

  16. DEMO – Client Code (1) Dim userToken As UsernameToken = New UsernameToken(TxtUserName.Text, TxtPassword.Text, PasswordOption.SendPlainText) Dim serviceProxy As localhost.Service1 = New localhost.Service1() Dim requestContext As SoapContext = serviceProxy.RequestSoapContext

  17. DEMO – Client Code (2) ‘add credentials requestContext.Security.Tokens.Add(userToken) ‘create signature and add it to the message – it’s not secure when sending also password (!) – this is only an example Dim sig As Signature = New Signature(userToken) requestContext.Security.Elements.Add(sig) requestContext.Timestamp.Ttl = 10000 ‘show result MsgBox(serviceProxy.sayHello())

  18. DEMO – Server Code (1) <WebMethod()> Public Function sayHello() As String Dim retval As String Dim requestContext As SoapContext = HttpSoapContext.RequestContext ' Verify that a SOAP request was received If IsNothing(requestContext) Then Throw (New ApplicationException(“Message is not acceptable")) End If

  19. DEMO – Server Code (2) Dim userToken As UsernameToken = GetFirstUsernameToken( requestContext.Security) If Not IsNothing(userToken) Then retval = “Hello” End If Return retval

  20. Advantages & Limitations (1) • Advantages: • WSE provides easy to use libraries • Microsoft commitment to support and update WSE • Support for debugging

  21. Advantages & Limitations (2) • Limitations: • Since the standards are still under development, various implementations may not be compatible. • Recommended only for specific solutions. • You have to understand the security protocols. • You have to implement security for each Web Service separately.

  22. Future Standards In Next Versions Source: http://msdn.microsoft.com

  23. Summary

  24. Used and Recommended Sources • Demo Source Code: • http://www.portsight.com/technology • Microsoft Developer Network (WSE download): • http://msdn.microsoft.com/webservices • news://news.microsoft.com • OASIS: • http://www.oasis-open.org/

  25. Questions & Answers

  26. Thank You for Your Time!

More Related