Implement Web Service Security
Use the WSDK to create a simple XML Web service that authenticates user requests.
by Jay Schmelzer
VSLive! Orlando, September 19, 2002
Note: Jay Schmelzer is presenting "Secure Your Web Services" at VBITS Orlando, Wednesday, September 18. This tip is from that session.
Visual Studio .NET and the .NET Framework allow application developers to quickly create XML Web services based on the Simple Object Access Protocol (SOAP). The SOAP protocol addresses the format for sending messages between applications in a distributed environment. The simplicity of the protocol has helped increase its adoption rate among tool vendors and developers, but forces the XML Web service application developer to implement some of the complicated things, like security, that are not included as part of the SOAP specification.
The flexible nature of ASP.NET provides developers all the tools they need to roll their own mechanisms for securing their XML Web services. Today, ASP.NET developers can implement authentication mechanisms for the Web services by leveraging authentication mechanisms built into the HTTP protocol (Basic Authentication, Windows Authentication, SSL, and so on), passing user credentials within the SOAP body, or custom SOAP Header implementations. These are all viable approaches and have been used successfully to implement production XML Web services, but because they are not built using a standard approach, existing toolkits can't support them without custom code.
Over the last several months, Microsoft and IBM have published a number of additional specifications that build on the existing SOAP specification to address many of the more complicated aspects of distributed computing that are missing from the SOAP specification itself (include security, transaction coordination, message routing, and so on). These additional specifications did not exist when Visual Studio .NET and the .NET Framework were originally released, so support for these standards is missing from the tools and until recently had to be manually supported by additional custom code. Microsoft recently released a Technology Preview of the Microsoft Web Services Development Kit (WSDK) that adds a set of managed classes that provide the .NET developer with support for WS-Security (and other extension specifications) to create secure XML Web services.
The sample application uses the WSDK to create a simple XML Web service that authenticates user requests using a custom Password Provider and the WS-Security specification. The WSDK packages the user's credentials into a SOAP header that adheres to the WS-Security specification on the client side and then unpacks that information once it reaches the Web service.
To install the sample, expand the ZIP file and run SecurityServiceSetup.msi, which installs the sample security Web service on your machine (take the defaults). Open and run the SecurityClient project and click on the Submit button to send a request to the sample Web service and view the response. The SecurityClient's Web service proxy class inherits from the WSDK's WSDKClientProtocol (rather than the .NET Framework's default SoapHttpClientProtocol class), which exposes the RequestSoapContext that allows us to defined the security information that will be sent with the request.
About the Speaker
Jay Schmelzer is a partner with Clarity Consulting, Inc., an e-business and technology consulting firm based in Chicago. He actively oversees multiple project teams working on the design, development, and implementation of large-scale systems. In addition, Jay frequently writes articles for technical journals and speaks at IT conferences.
Back to top
|
