Web Services Security

Discussion in 'ASP .Net Web Services' started by Shailendra Batham, Nov 16, 2004.

  1. Hi there Gurus,
    I have a web services which works fine and it exchanges data in XML format.....

    Now I want to know what is the best method to secure this web service, Does anyone have a list of different options to secure web services. Maybe provide links to the right documents.

    Thanks,
    Shailendra Batham
     
    Shailendra Batham, Nov 16, 2004
    #1
    1. Advertising

  2. Shailendra Batham

    Dan Rogers Guest

    Hi Shailendra,

    You may want to start looking at the options such as WS-Security. Off
    hand, the phrase "securing a web service" is a pretty broad topic, starting
    with securing privacy between two points on a wire, to signing and
    encrypting the XML using XML Dsig, to managing the certificate exchange
    between two parties participating in a public/private key security
    approach. How little, or how many steps you decide to undertake depend on
    your goals.

    An easy way to get started prototyping different aspects of security is to
    download the WSE 2.0 toolkit from MSDN.

    http://msdn.microsoft.com/webservices/building/wse/default.aspx

    There are many documents and articles on line explaining what aspects of
    security that the WSE 2.0 implementation of WS-Security can do for you.

    Hope this helps,

    Dan Rogers
    Microsoft Corporation
    --------------------
    >From: "Shailendra Batham" <>
    >Subject: Web Services Security
    >Date: Tue, 16 Nov 2004 13:24:28 -0800
    >Lines: 47
    >MIME-Version: 1.0
    >Content-Type: multipart/alternative;
    > boundary="----=_NextPart_000_0006_01C4CBDF.996B5430"
    >X-Priority: 3
    >X-MSMail-Priority: Normal
    >X-Newsreader: Microsoft Outlook Express 6.00.2900.2180
    >X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180
    >Message-ID: <>
    >Newsgroups:

    microsoft.public.dotnet.framework.aspnet.webservices,microsoft.public.dotnet
    .framework.webservices,microsoft.public.dotnet.framework.webservices.enhance
    ments,microsoft.public.webservices
    >NNTP-Posting-Host: mail.sitesystems.com 206.135.37.4
    >Path:

    cpmsftngxa10.phx.gbl!TK2MSFTFEED01.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP14
    .phx.gbl
    >Xref: cpmsftngxa10.phx.gbl

    microsoft.public.dotnet.framework.webservices:7489
    microsoft.public.dotnet.framework.webservices.enhancements:4847
    microsoft.public.webservices:2531
    microsoft.public.dotnet.framework.aspnet.webservices:26623
    >X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet.webservices
    >
    >Hi there Gurus,
    >I have a web services which works fine and it exchanges data in XML

    format.....
    >Now I want to know what is the best method to secure this web service,

    Does anyone have a list of different options to secure web services. Maybe
    provide links to the right documents.
    >Thanks,
    >Shailendra Batham
    >
     
    Dan Rogers, Nov 16, 2004
    #2
    1. Advertising

  3. Use WS-Security provided by WSE2.0. Look into the various threads already in
    the microsoft.public.dotnet.framework.webservices.enhancements newsgroup for
    guidance.

    SSL is not something I will recommend due to its transport dependence.
    Morever, performance is also an issue since you dont have much control.

    hth.

    --
    Thank you.

    Regards,
    Softwaremaker

    ==================================

    "Shailendra Batham" <> wrote in message
    news:...
    Hi there Gurus,
    I have a web services which works fine and it exchanges data in XML
    format.....

    Now I want to know what is the best method to secure this web service, Does
    anyone have a list of different options to secure web services. Maybe
    provide links to the right documents.

    Thanks,
    Shailendra Batham
     
    Softwaremaker, Nov 16, 2004
    #3
  4. Thanks Dan for the reply.

    I read about WSE 2.0, but I am still confused as to what method I should be
    using to implement security for the web service.

    For eg.
    I have a web service on production which is used by "n" number of clients,
    so my question is what is the best method to authenticate the clients/users
    and to kick off all those who are not authorize to get information from the
    web service.

    Next thing is, does the client have to do some changes in the way they call
    the web service.


    "Dan Rogers" <> wrote in message
    news:...
    > Hi Shailendra,
    >
    > You may want to start looking at the options such as WS-Security. Off
    > hand, the phrase "securing a web service" is a pretty broad topic,
    > starting
    > with securing privacy between two points on a wire, to signing and
    > encrypting the XML using XML Dsig, to managing the certificate exchange
    > between two parties participating in a public/private key security
    > approach. How little, or how many steps you decide to undertake depend on
    > your goals.
    >
    > An easy way to get started prototyping different aspects of security is to
    > download the WSE 2.0 toolkit from MSDN.
    >
    > http://msdn.microsoft.com/webservices/building/wse/default.aspx
    >
    > There are many documents and articles on line explaining what aspects of
    > security that the WSE 2.0 implementation of WS-Security can do for you.
    >
    > Hope this helps,
    >
    > Dan Rogers
    > Microsoft Corporation
    > --------------------
    >>From: "Shailendra Batham" <>
    >>Subject: Web Services Security
    >>Date: Tue, 16 Nov 2004 13:24:28 -0800
    >>Lines: 47
    >>MIME-Version: 1.0
    >>Content-Type: multipart/alternative;
    >> boundary="----=_NextPart_000_0006_01C4CBDF.996B5430"
    >>X-Priority: 3
    >>X-MSMail-Priority: Normal
    >>X-Newsreader: Microsoft Outlook Express 6.00.2900.2180
    >>X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180
    >>Message-ID: <>
    >>Newsgroups:

    > microsoft.public.dotnet.framework.aspnet.webservices,microsoft.public.dotnet
    > framework.webservices,microsoft.public.dotnet.framework.webservices.enhance
    > ments,microsoft.public.webservices
    >>NNTP-Posting-Host: mail.sitesystems.com 206.135.37.4
    >>Path:

    > cpmsftngxa10.phx.gbl!TK2MSFTFEED01.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP14
    > phx.gbl
    >>Xref: cpmsftngxa10.phx.gbl

    > microsoft.public.dotnet.framework.webservices:7489
    > microsoft.public.dotnet.framework.webservices.enhancements:4847
    > microsoft.public.webservices:2531
    > microsoft.public.dotnet.framework.aspnet.webservices:26623
    >>X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet.webservices
    >>
    >>Hi there Gurus,
    >>I have a web services which works fine and it exchanges data in XML

    > format.....
    >>Now I want to know what is the best method to secure this web service,

    > Does anyone have a list of different options to secure web services. Maybe
    > provide links to the right documents.
    >>Thanks,
    >>Shailendra Batham
    >>

    >
     
    Shailendra Batham, Nov 17, 2004
    #4
  5. Shailendra Batham

    Dan Rogers Guest

    Hi Shailendra,

    Ahhh. I see. Your choices for not breaking any existing clients are
    indeed limited, if, that is, there have previously been no attempts to
    ascertain the identity of the callers. The simplest option is to use
    windows domain security (e.g. turn off basic authentication). But this
    requires a line of code be added to the calling client applications so that
    the current user credentials are set in the client proxy.

    In your case, you will I think have to decide how big a break you want to
    introduce. One approach is to keep the current interface while preparing a
    new one, and then telling people that the time window for the unsecured
    access is limited and that to have uninterupted use of the application,
    they will have to upgrade. Then in the upgraded client, simply add in
    windows security and make it point to a copy of the service on a different
    VROOT that has basic auth turned off. This will let you gracefully start
    kicking people off.

    Another option you might want to consider is port filtering. If you can be
    assured of the TCP/IP ranges or address of authorized callers, you can add
    these to the IIS port filtering list in the existing web service. This can
    be somewhat disruptive as it takes some time to fill the list, and as soon
    as you enable port filtering, only those ranges or addresses in the list
    will be allowed to place a call to the endpoint.

    Adding in WSE or WS-Security is something to still consider - but it is a
    pretty heavy hammer if you are in a position to use domain credentials.

    Hope this helps,

    Dan Rogers
    Microsoft Corporation

    --------------------
    >From: "Shailendra Batham" <>
    >References: <>

    <>
    >Subject: Re: Web Services Security
    >Date: Tue, 16 Nov 2004 16:46:14 -0800
    >Lines: 80
    >X-Priority: 3
    >X-MSMail-Priority: Normal
    >X-Newsreader: Microsoft Outlook Express 6.00.2900.2180
    >X-RFC2646: Format=Flowed; Original
    >X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180
    >Message-ID: <#>
    >Newsgroups: microsoft.public.dotnet.framework.aspnet.webservices
    >NNTP-Posting-Host: mail.sitesystems.com 206.135.37.4
    >Path:

    cpmsftngxa10.phx.gbl!TK2MSFTNGXA03.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP14
    .phx.gbl
    >Xref: cpmsftngxa10.phx.gbl

    microsoft.public.dotnet.framework.aspnet.webservices:26641
    >X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet.webservices
    >
    >Thanks Dan for the reply.
    >
    >I read about WSE 2.0, but I am still confused as to what method I should

    be
    >using to implement security for the web service.
    >
    >For eg.
    >I have a web service on production which is used by "n" number of clients,
    >so my question is what is the best method to authenticate the

    clients/users
    >and to kick off all those who are not authorize to get information from

    the
    >web service.
    >
    >Next thing is, does the client have to do some changes in the way they

    call
    >the web service.
    >
    >
    >"Dan Rogers" <> wrote in message
    >news:...
    >> Hi Shailendra,
    >>
    >> You may want to start looking at the options such as WS-Security. Off
    >> hand, the phrase "securing a web service" is a pretty broad topic,
    >> starting
    >> with securing privacy between two points on a wire, to signing and
    >> encrypting the XML using XML Dsig, to managing the certificate exchange
    >> between two parties participating in a public/private key security
    >> approach. How little, or how many steps you decide to undertake depend

    on
    >> your goals.
    >>
    >> An easy way to get started prototyping different aspects of security is

    to
    >> download the WSE 2.0 toolkit from MSDN.
    >>
    >> http://msdn.microsoft.com/webservices/building/wse/default.aspx
    >>
    >> There are many documents and articles on line explaining what aspects of
    >> security that the WSE 2.0 implementation of WS-Security can do for you.
    >>
    >> Hope this helps,
    >>
    >> Dan Rogers
    >> Microsoft Corporation
    >> --------------------
    >>>From: "Shailendra Batham" <>
    >>>Subject: Web Services Security
    >>>Date: Tue, 16 Nov 2004 13:24:28 -0800
    >>>Lines: 47
    >>>MIME-Version: 1.0
    >>>Content-Type: multipart/alternative;
    >>> boundary="----=_NextPart_000_0006_01C4CBDF.996B5430"
    >>>X-Priority: 3
    >>>X-MSMail-Priority: Normal
    >>>X-Newsreader: Microsoft Outlook Express 6.00.2900.2180
    >>>X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180
    >>>Message-ID: <>
    >>>Newsgroups:

    >>

    microsoft.public.dotnet.framework.aspnet.webservices,microsoft.public.dotnet
    >>

    framework.webservices,microsoft.public.dotnet.framework.webservices.enhance
    >> ments,microsoft.public.webservices
    >>>NNTP-Posting-Host: mail.sitesystems.com 206.135.37.4
    >>>Path:

    >>

    cpmsftngxa10.phx.gbl!TK2MSFTFEED01.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP14
    >> phx.gbl
    >>>Xref: cpmsftngxa10.phx.gbl

    >> microsoft.public.dotnet.framework.webservices:7489
    >> microsoft.public.dotnet.framework.webservices.enhancements:4847
    >> microsoft.public.webservices:2531
    >> microsoft.public.dotnet.framework.aspnet.webservices:26623
    >>>X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet.webservices
    >>>
    >>>Hi there Gurus,
    >>>I have a web services which works fine and it exchanges data in XML

    >> format.....
    >>>Now I want to know what is the best method to secure this web service,

    >> Does anyone have a list of different options to secure web services.

    Maybe
    >> provide links to the right documents.
    >>>Thanks,
    >>>Shailendra Batham
    >>>

    >>

    >
    >
    >
     
    Dan Rogers, Nov 17, 2004
    #5
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Nick
    Replies:
    1
    Views:
    6,280
    Alvin Bruney - ASP.NET MVP
    Sep 12, 2005
  2. Anup
    Replies:
    1
    Views:
    2,833
    Mark Rae
    May 9, 2006
  3. imlakhani

    Web Services Restful Services

    imlakhani, Dec 16, 2009, in forum: Java
    Replies:
    1
    Views:
    448
    Jeffrey H. Coffield
    Dec 16, 2009
  4. va
    Replies:
    0
    Views:
    200
  5. John
    Replies:
    4
    Views:
    505
Loading...

Share This Page