Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Programming > ASP .Net > ASP .Net Web Services > Web Services Security

Reply
Thread Tools

Web Services Security

 
 
Shailendra Batham
Guest
Posts: n/a
 
      11-16-2004
Hi there Gurus,
I have a web services which works fine and it exchanges data in XML format.....

Now I want to know what is the best method to secure this web service, Does anyone have a list of different options to secure web services. Maybe provide links to the right documents.

Thanks,
Shailendra Batham
 
Reply With Quote
 
 
 
 
Dan Rogers
Guest
Posts: n/a
 
      11-16-2004
Hi Shailendra,

You may want to start looking at the options such as WS-Security. Off
hand, the phrase "securing a web service" is a pretty broad topic, starting
with securing privacy between two points on a wire, to signing and
encrypting the XML using XML Dsig, to managing the certificate exchange
between two parties participating in a public/private key security
approach. How little, or how many steps you decide to undertake depend on
your goals.

An easy way to get started prototyping different aspects of security is to
download the WSE 2.0 toolkit from MSDN.

http://msdn.microsoft.com/webservice...e/default.aspx

There are many documents and articles on line explaining what aspects of
security that the WSE 2.0 implementation of WS-Security can do for you.

Hope this helps,

Dan Rogers
Microsoft Corporation
--------------------
>From: "Shailendra Batham" <(E-Mail Removed)>
>Subject: Web Services Security
>Date: Tue, 16 Nov 2004 13:24:28 -0800
>Lines: 47
>MIME-Version: 1.0
>Content-Type: multipart/alternative;
> boundary="----=_NextPart_000_0006_01C4CBDF.996B5430"
>X-Priority: 3
>X-MSMail-Priority: Normal
>X-Newsreader: Microsoft Outlook Express 6.00.2900.2180
>X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180
>Message-ID: <(E-Mail Removed)>
>Newsgroups:

microsoft.public.dotnet.framework.aspnet.webservic es,microsoft.public.dotnet
.framework.webservices,microsoft.public.dotnet.fra mework.webservices.enhance
ments,microsoft.public.webservices
>NNTP-Posting-Host: mail.sitesystems.com 206.135.37.4
>Path:

cpmsftngxa10.phx.gbl!TK2MSFTFEED01.phx.gbl!TK2MSFT NGP08.phx.gbl!TK2MSFTNGP14
.phx.gbl
>Xref: cpmsftngxa10.phx.gbl

microsoft.public.dotnet.framework.webservices:7489
microsoft.public.dotnet.framework.webservices.enha ncements:4847
microsoft.public.webservices:2531
microsoft.public.dotnet.framework.aspnet.webservic es:26623
>X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet.webservic es
>
>Hi there Gurus,
>I have a web services which works fine and it exchanges data in XML

format.....
>Now I want to know what is the best method to secure this web service,

Does anyone have a list of different options to secure web services. Maybe
provide links to the right documents.
>Thanks,
>Shailendra Batham
>


 
Reply With Quote
 
 
 
 
Softwaremaker
Guest
Posts: n/a
 
      11-16-2004
Use WS-Security provided by WSE2.0. Look into the various threads already in
the microsoft.public.dotnet.framework.webservices.enha ncements newsgroup for
guidance.

SSL is not something I will recommend due to its transport dependence.
Morever, performance is also an issue since you dont have much control.

hth.

--
Thank you.

Regards,
Softwaremaker

==================================

"Shailendra Batham" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
Hi there Gurus,
I have a web services which works fine and it exchanges data in XML
format.....

Now I want to know what is the best method to secure this web service, Does
anyone have a list of different options to secure web services. Maybe
provide links to the right documents.

Thanks,
Shailendra Batham


 
Reply With Quote
 
Shailendra Batham
Guest
Posts: n/a
 
      11-17-2004
Thanks Dan for the reply.

I read about WSE 2.0, but I am still confused as to what method I should be
using to implement security for the web service.

For eg.
I have a web service on production which is used by "n" number of clients,
so my question is what is the best method to authenticate the clients/users
and to kick off all those who are not authorize to get information from the
web service.

Next thing is, does the client have to do some changes in the way they call
the web service.


"Dan Rogers" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> Hi Shailendra,
>
> You may want to start looking at the options such as WS-Security. Off
> hand, the phrase "securing a web service" is a pretty broad topic,
> starting
> with securing privacy between two points on a wire, to signing and
> encrypting the XML using XML Dsig, to managing the certificate exchange
> between two parties participating in a public/private key security
> approach. How little, or how many steps you decide to undertake depend on
> your goals.
>
> An easy way to get started prototyping different aspects of security is to
> download the WSE 2.0 toolkit from MSDN.
>
> http://msdn.microsoft.com/webservice...e/default.aspx
>
> There are many documents and articles on line explaining what aspects of
> security that the WSE 2.0 implementation of WS-Security can do for you.
>
> Hope this helps,
>
> Dan Rogers
> Microsoft Corporation
> --------------------
>>From: "Shailendra Batham" <(E-Mail Removed)>
>>Subject: Web Services Security
>>Date: Tue, 16 Nov 2004 13:24:28 -0800
>>Lines: 47
>>MIME-Version: 1.0
>>Content-Type: multipart/alternative;
>> boundary="----=_NextPart_000_0006_01C4CBDF.996B5430"
>>X-Priority: 3
>>X-MSMail-Priority: Normal
>>X-Newsreader: Microsoft Outlook Express 6.00.2900.2180
>>X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180
>>Message-ID: <(E-Mail Removed)>
>>Newsgroups:

> microsoft.public.dotnet.framework.aspnet.webservic es,microsoft.public.dotnet
> framework.webservices,microsoft.public.dotnet.fram ework.webservices.enhance
> ments,microsoft.public.webservices
>>NNTP-Posting-Host: mail.sitesystems.com 206.135.37.4
>>Path:

> cpmsftngxa10.phx.gbl!TK2MSFTFEED01.phx.gbl!TK2MSFT NGP08.phx.gbl!TK2MSFTNGP14
> phx.gbl
>>Xref: cpmsftngxa10.phx.gbl

> microsoft.public.dotnet.framework.webservices:7489
> microsoft.public.dotnet.framework.webservices.enha ncements:4847
> microsoft.public.webservices:2531
> microsoft.public.dotnet.framework.aspnet.webservic es:26623
>>X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet.webservic es
>>
>>Hi there Gurus,
>>I have a web services which works fine and it exchanges data in XML

> format.....
>>Now I want to know what is the best method to secure this web service,

> Does anyone have a list of different options to secure web services. Maybe
> provide links to the right documents.
>>Thanks,
>>Shailendra Batham
>>

>



 
Reply With Quote
 
Dan Rogers
Guest
Posts: n/a
 
      11-17-2004
Hi Shailendra,

Ahhh. I see. Your choices for not breaking any existing clients are
indeed limited, if, that is, there have previously been no attempts to
ascertain the identity of the callers. The simplest option is to use
windows domain security (e.g. turn off basic authentication). But this
requires a line of code be added to the calling client applications so that
the current user credentials are set in the client proxy.

In your case, you will I think have to decide how big a break you want to
introduce. One approach is to keep the current interface while preparing a
new one, and then telling people that the time window for the unsecured
access is limited and that to have uninterupted use of the application,
they will have to upgrade. Then in the upgraded client, simply add in
windows security and make it point to a copy of the service on a different
VROOT that has basic auth turned off. This will let you gracefully start
kicking people off.

Another option you might want to consider is port filtering. If you can be
assured of the TCP/IP ranges or address of authorized callers, you can add
these to the IIS port filtering list in the existing web service. This can
be somewhat disruptive as it takes some time to fill the list, and as soon
as you enable port filtering, only those ranges or addresses in the list
will be allowed to place a call to the endpoint.

Adding in WSE or WS-Security is something to still consider - but it is a
pretty heavy hammer if you are in a position to use domain credentials.

Hope this helps,

Dan Rogers
Microsoft Corporation

--------------------
>From: "Shailendra Batham" <(E-Mail Removed)>
>References: <(E-Mail Removed)>

<(E-Mail Removed)>
>Subject: Re: Web Services Security
>Date: Tue, 16 Nov 2004 16:46:14 -0800
>Lines: 80
>X-Priority: 3
>X-MSMail-Priority: Normal
>X-Newsreader: Microsoft Outlook Express 6.00.2900.2180
>X-RFC2646: Format=Flowed; Original
>X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180
>Message-ID: <#(E-Mail Removed)>
>Newsgroups: microsoft.public.dotnet.framework.aspnet.webservic es
>NNTP-Posting-Host: mail.sitesystems.com 206.135.37.4
>Path:

cpmsftngxa10.phx.gbl!TK2MSFTNGXA03.phx.gbl!TK2MSFT NGP08.phx.gbl!TK2MSFTNGP14
.phx.gbl
>Xref: cpmsftngxa10.phx.gbl

microsoft.public.dotnet.framework.aspnet.webservic es:26641
>X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet.webservic es
>
>Thanks Dan for the reply.
>
>I read about WSE 2.0, but I am still confused as to what method I should

be
>using to implement security for the web service.
>
>For eg.
>I have a web service on production which is used by "n" number of clients,
>so my question is what is the best method to authenticate the

clients/users
>and to kick off all those who are not authorize to get information from

the
>web service.
>
>Next thing is, does the client have to do some changes in the way they

call
>the web service.
>
>
>"Dan Rogers" <(E-Mail Removed)> wrote in message
>news:(E-Mail Removed)...
>> Hi Shailendra,
>>
>> You may want to start looking at the options such as WS-Security. Off
>> hand, the phrase "securing a web service" is a pretty broad topic,
>> starting
>> with securing privacy between two points on a wire, to signing and
>> encrypting the XML using XML Dsig, to managing the certificate exchange
>> between two parties participating in a public/private key security
>> approach. How little, or how many steps you decide to undertake depend

on
>> your goals.
>>
>> An easy way to get started prototyping different aspects of security is

to
>> download the WSE 2.0 toolkit from MSDN.
>>
>> http://msdn.microsoft.com/webservice...e/default.aspx
>>
>> There are many documents and articles on line explaining what aspects of
>> security that the WSE 2.0 implementation of WS-Security can do for you.
>>
>> Hope this helps,
>>
>> Dan Rogers
>> Microsoft Corporation
>> --------------------
>>>From: "Shailendra Batham" <(E-Mail Removed)>
>>>Subject: Web Services Security
>>>Date: Tue, 16 Nov 2004 13:24:28 -0800
>>>Lines: 47
>>>MIME-Version: 1.0
>>>Content-Type: multipart/alternative;
>>> boundary="----=_NextPart_000_0006_01C4CBDF.996B5430"
>>>X-Priority: 3
>>>X-MSMail-Priority: Normal
>>>X-Newsreader: Microsoft Outlook Express 6.00.2900.2180
>>>X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180
>>>Message-ID: <(E-Mail Removed)>
>>>Newsgroups:

>>

microsoft.public.dotnet.framework.aspnet.webservic es,microsoft.public.dotnet
>>

framework.webservices,microsoft.public.dotnet.fram ework.webservices.enhance
>> ments,microsoft.public.webservices
>>>NNTP-Posting-Host: mail.sitesystems.com 206.135.37.4
>>>Path:

>>

cpmsftngxa10.phx.gbl!TK2MSFTFEED01.phx.gbl!TK2MSFT NGP08.phx.gbl!TK2MSFTNGP14
>> phx.gbl
>>>Xref: cpmsftngxa10.phx.gbl

>> microsoft.public.dotnet.framework.webservices:7489
>> microsoft.public.dotnet.framework.webservices.enha ncements:4847
>> microsoft.public.webservices:2531
>> microsoft.public.dotnet.framework.aspnet.webservic es:26623
>>>X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet.webservic es
>>>
>>>Hi there Gurus,
>>>I have a web services which works fine and it exchanges data in XML

>> format.....
>>>Now I want to know what is the best method to secure this web service,

>> Does anyone have a list of different options to secure web services.

Maybe
>> provide links to the right documents.
>>>Thanks,
>>>Shailendra Batham
>>>

>>

>
>
>


 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Web Services Restful Services imlakhani Java 1 12-16-2009 03:06 PM
Start Web services as Windows Services start Anup ASP .Net 1 05-09-2006 11:44 AM
How .NET web services client handles exceptions from Java web services? John ASP .Net Web Services 4 03-31-2006 10:13 PM
What is the difference between C# windows Services and web services in vs.net? Nick ASP .Net 1 09-12-2005 02:33 PM
how to implement Services Interface Tier (web services) Szymi MCSD 0 11-03-2003 10:50 AM



Advertisments