WSE2.0 - best practise guidance

[Benjamin]

Hi!

I would like to implement WS-Security features using WSE2.0.
Initially the services are consumed by .NET Windows Form Clients.

What do you think is reasonable level of security and safety?
Do you think following configuration of the web services proxies are "good
enough"?

Public Sub ConfigureProxy(ByVal proxy As WebServicesClientProtocol)
'WS-Security: "Authentication" & "Authorization" with UsernameToken
(no need to send password because of signing below)
Dim token As UsernameToken = New UsernameToken(Me.txtUserName.Text,
Me.txtPassword.Text, PasswordOption.SendNone)
proxy.RequestSoapContext.Security.Tokens.Add(token)

'WS-Security: "Signing" with UsernameToken (keep message integrity)
Dim derivedToken As New DerivedKeyToken(token)
proxy.RequestSoapContext.Security.Tokens.Add(derivedToken)
proxy.RequestSoapContext.Security.Elements.Add(New
MessageSignature(derivedToken))

'WS-Security: "Encryption" with UsernameToken (ensure
confidentiality, not "very" secure)
proxy.RequestSoapContext.Security.Elements.Add(New
EncryptedData(derivedToken))
End Sub

We are not communicating "bank transactions", but anyway we would like to
implement "good enough" security.

Best regards,
Benjamin, Sweden

 

[[MSFT]]

I think your way is safe enough for common web application. UsernameToken
reply on windows authentication and we can trust it in a windows domain or
OU. For better understand WS-Security in SWE 2.0, I suggest you may refer
to following articles:

WS-Security Drilldown in Web Services Enhancements 2.0

http://msdn.microsoft.com/webservices/building/wse/default.aspx?pull=/librar
y/en-us/dnwse/html/wssecdrill.asp

Web Services Security (WS-Security)
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnglobspec/
html/ws-security.asp

Hope this help,

Luke