Web Services Security

[Shailendra Batham]

Hi there Gurus,
I have a web services which works fine and it exchanges data in XML format.....

Now I want to know what is the best method to secure this web service, Does anyone have a list of different options to secure web services. Maybe provide links to the right documents.

Thanks,
Shailendra Batham

 

[Dan Rogers]

Hi Shailendra,

You may want to start looking at the options such as WS-Security. Off
hand, the phrase "securing a web service" is a pretty broad topic, starting
with securing privacy between two points on a wire, to signing and
encrypting the XML using XML Dsig, to managing the certificate exchange
between two parties participating in a public/private key security
approach. How little, or how many steps you decide to undertake depend on
your goals.

An easy way to get started prototyping different aspects of security is to
download the WSE 2.0 toolkit from MSDN.

http://msdn.microsoft.com/webservices/building/wse/default.aspx

There are many documents and articles on line explaining what aspects of
security that the WSE 2.0 implementation of WS-Security can do for you.

Hope this helps,

Dan Rogers
Microsoft Corporation
--------------------

From: "Shailendra Batham" <[email protected]>
Subject: Web Services Security
Date: Tue, 16 Nov 2004 13:24:28 -0800
Lines: 47
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="----=_NextPart_000_0006_01C4CBDF.996B5430"
X-Priority: 3
X-MSMail-Priority: Normal
X-Newsreader: Microsoft Outlook Express 6.00.2900.2180
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180
Message-ID: <[email protected]>
Newsgroups: microsoft.public.dotnet.framework.aspnet.webservices,microsoft.public.dotnet
.framework.webservices,microsoft.public.dotnet.framework.webservices.enhance
ments,microsoft.public.webservices
NNTP-Posting-Host: mail.sitesystems.com 206.135.37.4
Path: cpmsftngxa10.phx.gbl!TK2MSFTFEED01.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP14
.phx.gbl
Xref: cpmsftngxa10.phx.gbl microsoft.public.dotnet.framework.webservices:7489
microsoft.public.dotnet.framework.webservices.enhancements:4847
microsoft.public.webservices:2531
microsoft.public.dotnet.framework.aspnet.webservices:26623
X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet.webservices

Hi there Gurus,
I have a web services which works fine and it exchanges data in XML format.....
Now I want to know what is the best method to secure this web service,

Does anyone have a list of different options to secure web services. Maybe
provide links to the right documents.

 

[Softwaremaker]

Use WS-Security provided by WSE2.0. Look into the various threads already in
the microsoft.public.dotnet.framework.webservices.enhancements newsgroup for
guidance.

SSL is not something I will recommend due to its transport dependence.
Morever, performance is also an issue since you dont have much control.

hth.

--
Thank you.

Regards,
Softwaremaker

==================================

Hi there Gurus,
I have a web services which works fine and it exchanges data in XML
format.....

Now I want to know what is the best method to secure this web service, Does
anyone have a list of different options to secure web services. Maybe
provide links to the right documents.

Thanks,
Shailendra Batham

 

[Shailendra Batham]

Thanks Dan for the reply.

I read about WSE 2.0, but I am still confused as to what method I should be
using to implement security for the web service.

For eg.
I have a web service on production which is used by "n" number of clients,
so my question is what is the best method to authenticate the clients/users
and to kick off all those who are not authorize to get information from the
web service.

Next thing is, does the client have to do some changes in the way they call
the web service.

 

[Dan Rogers]

Hi Shailendra,

Ahhh. I see. Your choices for not breaking any existing clients are
indeed limited, if, that is, there have previously been no attempts to
ascertain the identity of the callers. The simplest option is to use
windows domain security (e.g. turn off basic authentication). But this
requires a line of code be added to the calling client applications so that
the current user credentials are set in the client proxy.

In your case, you will I think have to decide how big a break you want to
introduce. One approach is to keep the current interface while preparing a
new one, and then telling people that the time window for the unsecured
access is limited and that to have uninterupted use of the application,
they will have to upgrade. Then in the upgraded client, simply add in
windows security and make it point to a copy of the service on a different
VROOT that has basic auth turned off. This will let you gracefully start
kicking people off.

Another option you might want to consider is port filtering. If you can be
assured of the TCP/IP ranges or address of authorized callers, you can add
these to the IIS port filtering list in the existing web service. This can
be somewhat disruptive as it takes some time to fill the list, and as soon
as you enable port filtering, only those ranges or addresses in the list
will be allowed to place a call to the endpoint.

Adding in WSE or WS-Security is something to still consider - but it is a
pretty heavy hammer if you are in a position to use domain credentials.

Hope this helps,

Dan Rogers
Microsoft Corporation

--------------------