Home | Contact Us | FAQ | Search & Site Map | Link to Us
Sign In | Join | Other 45 Sites in Network
HomeAnnouncementsFree MagazinesWhite PapersSubmit Content
Discussion GroupsASP.NETWindows FormsLanguages.NET FrameworkVisual Studio.NET
Articles.NET FrameworkASP.NETToolsWindows Forms
.NET DirectoryOpen Source ProjectsUser GroupsWeb Resources
Related Topics
Visual Basic 6SQL ServerMS AccessOther DB ProductsMS Server ProductsMore Topics ...
.NET Forum / ASP.NET / Web Services / November 2004

Tip: Looking for answers? Try searching our database.

Web Services Security

Thread view: 
Enable EMail Alerts  Start New Thread
Thread rating: 
Shailendra Batham - 16 Nov 2004 21:24 GMT
Hi there Gurus,
I have a web services which works fine and it exchanges data in XML format.....

Now I want to know what is the best method to secure this web service, Does anyone have a list of different options to secure web services. Maybe provide links to the right documents.

Thanks,
Shailendra Batham
Reply to this Message
Dan Rogers - 16 Nov 2004 22:08 GMT
Hi Shailendra,

You may want to start looking at the options such as WS-Security.  Off
hand, the phrase "securing a web service" is a pretty broad topic, starting
with securing privacy between two points on a wire, to signing and
encrypting the XML using XML Dsig, to managing the certificate exchange
between two parties participating in a public/private key security
approach.  How little, or how many steps you decide to undertake depend on
your goals.

An easy way to get started prototyping different aspects of security is to
download the WSE 2.0 toolkit from MSDN.

http://msdn.microsoft.com/webservices/building/wse/default.aspx

There are many documents and articles on line explaining what aspects of
security that the WSE 2.0 implementation of WS-Security can do for you.

Hope this helps,

Dan Rogers
Microsoft Corporation
--------------------
>From: "Shailendra Batham" <shailendra@sitesystems.com>
>Subject: Web Services Security
[quoted text clipped - 9 lines]
>Message-ID: <On3plKCzEHA.2656@TK2MSFTNGP14.phx.gbl>
>Newsgroups:
microsoft.public.dotnet.framework.aspnet.webservices,microsoft.public.dotnet
.framework.webservices,microsoft.public.dotnet.framework.webservices.enhance
ments,microsoft.public.webservices
>NNTP-Posting-Host: mail.sitesystems.com 206.135.37.4
>Path:
cpmsftngxa10.phx.gbl!TK2MSFTFEED01.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP14
.phx.gbl
>Xref: cpmsftngxa10.phx.gbl
microsoft.public.dotnet.framework.webservices:7489
microsoft.public.dotnet.framework.webservices.enhancements:4847
microsoft.public.webservices:2531
microsoft.public.dotnet.framework.aspnet.webservices:26623
>X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet.webservices
>
>Hi there Gurus,
>I have a web services which works fine and it exchanges data in XML format.....
>Now I want to know what is the best method to secure this web service, Does anyone have a list of different options to secure web services. Maybe
provide links to the right documents.
>Thanks,
>Shailendra Batham
Reply to this Message
Shailendra Batham - 17 Nov 2004 00:46 GMT
Thanks Dan for the reply.

I read about WSE 2.0, but I am still confused as to what method I should be
using to implement security for the web service.

For eg.
I have a web service on production which is used by "n" number of clients,
so my question is what is the best method to authenticate the clients/users
and to kick off all those who are not authorize to get information from the
web service.

Next thing is, does the client have to do some changes in the way they call
the web service.

> Hi Shailendra,
>
[quoted text clipped - 55 lines]
>>Thanks,
>>Shailendra Batham
Reply to this Message
Dan Rogers - 17 Nov 2004 01:36 GMT
Hi Shailendra,

Ahhh.  I see.  Your choices for not breaking any existing clients are
indeed limited, if, that is, there have previously been no attempts to
ascertain the identity of the callers.  The simplest option is to use
windows domain security (e.g. turn off basic authentication).  But this
requires a line of code be added to the calling client applications so that
the current user credentials are set in the client proxy.

In your case, you will I think have to decide how big a break you want to
introduce.  One approach is to keep the current interface while preparing a
new one, and then telling people that the time window for the unsecured
access is limited and that to have uninterupted use of the application,
they will have to upgrade.  Then in the upgraded client, simply add in
windows security and make it point to a copy of the service on a different
VROOT that has basic auth turned off.  This will let you gracefully start
kicking people off.

Another option you might want to consider is port filtering.  If you can be
assured of the TCP/IP ranges or address of authorized callers, you can add
these to the IIS port filtering list in the existing web service.  This can
be somewhat disruptive as it takes some time to fill the list, and as soon
as you enable port filtering, only those ranges or addresses in the list
will be allowed to place a call to the endpoint.

Adding in WSE or WS-Security is something to still consider - but it is a
pretty heavy hammer if you are in a position to use domain credentials.

Hope this helps,

Dan Rogers
Microsoft Corporation

--------------------
>From: "Shailendra Batham" <shailendra@sitesystems.com>
>References: <On3plKCzEHA.2656@TK2MSFTNGP14.phx.gbl>
<YwDZLjCzEHA.764@cpmsftngxa10.phx.gbl>
>Subject: Re: Web Services Security
>Date: Tue, 16 Nov 2004 16:46:14 -0800
[quoted text clipped - 8 lines]
>NNTP-Posting-Host: mail.sitesystems.com 206.135.37.4
>Path:
cpmsftngxa10.phx.gbl!TK2MSFTNGXA03.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP14
.phx.gbl
>Xref: cpmsftngxa10.phx.gbl
microsoft.public.dotnet.framework.aspnet.webservices:26641
>X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet.webservices
>
[quoted text clipped - 49 lines]
>>>Message-ID: <On3plKCzEHA.2656@TK2MSFTNGP14.phx.gbl>
>>>Newsgroups:

microsoft.public.dotnet.framework.aspnet.webservices,microsoft.public.dotnet

framework.webservices,microsoft.public.dotnet.framework.webservices.enhance
>> ments,microsoft.public.webservices
>>>NNTP-Posting-Host: mail.sitesystems.com 206.135.37.4
>>>Path:

cpmsftngxa10.phx.gbl!TK2MSFTFEED01.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP14
>> phx.gbl
>>>Xref: cpmsftngxa10.phx.gbl
[quoted text clipped - 12 lines]
>>>Thanks,
>>>Shailendra Batham
Reply to this Message
Softwaremaker - 16 Nov 2004 22:17 GMT
Use WS-Security provided by WSE2.0. Look into the various threads already in
the microsoft.public.dotnet.framework.webservices.enhancements newsgroup for
guidance.

SSL is not something I will recommend due to its transport dependence.
Morever, performance is also an issue since you dont have much control.

hth.

Signature

Thank you.

Regards,
Softwaremaker

==================================

Hi there Gurus,
I have a web services which works fine and it exchanges data in XML
format.....

Now I want to know what is the best method to secure this web service, Does
anyone have a list of different options to secure web services. Maybe
provide links to the right documents.

Thanks,
Shailendra Batham
Reply to this Message

Free Magazines

Get these publications absolutely FREE for up to 12 months. There are no hidden fees and no obligation. Simply choose a title, complete the application form and submit it. Read more ...

Oracle MagazineNetwork ComputingComputer WorldBio-IT WorldeWeekInformation WeekInfosecurity
 
Sign In
Join
My Latest Posts
My Monitored Threads
My Blog
My Photo Gallery
My Profile
My Homepage
Start New Thread
Enable EMail Alerts
Rate this Thread



©2008 Advenet LLC   Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.