WSE 3.0 的网络服务安全 Security in WSE 3.0 Hongmei Ge Con321 Software Design Engineer Microsoft Corporation

内容提要 背景介绍 WSE 3.0 应用较为广泛的功能块 从 WSE 到 WCF ASPNET WSE ( Web Services Enhancements ) WCF ( Windows Communication Foundation ) WSE 3.0 应用较为广泛的功能块 Security Policy Diagnostics Tools 从 WSE 到 WCF 互操作性 Interoperability 转换 Migration Agenda Background: ASPNET->WSE ->WCF Important features in WSE 3.0: security, policy, diagnostics, Tools From WSE to WCF: Interop story, Migration story

背景介绍 - 攀登Web Services的阶梯 WCF WSE Background – how to go from ASPNET to WSE, and from WSE to WCF ASP.NET

Connected Applications ASP.NET网络服务 应用软件层 Connected Applications Business Process … Management Security Reliability Transactions Metadata 网络基础 ASPNET Web Services only supports to build connected applications. At the foundation level, it supports xml serialization, sending basic messages, as well as generating and consuming metadata. At the transport layer, it only supports http and https. Messaging XML … 传输层 HTTP TCP Custom

.NET v2.0 平台网络服务 与WS-I Basic Profile兼容 定义WebServiceBinding attribute [WebServiceBinding(ConformsTo=WsiProfiles.BasicProfile1_1, EmitConformanceClaims=true)] [WebService(Namespace="Microsoft.TechEdChina.WebServices")] public class BPConformance_asmx { [WebMethod] public string HelloWorldBP() string message = "'Hello World' from a Basic Profile compliant (BP-compliant) Web Service."; return message; }  } .Net Framework v2.0 Web Services is compliant with WS-I Basic profile. It uses WebServicesBinding attribute.

Web Services Enhancements (WSE) 应用软件层 Connected Applications Business Process … Management Security Reliability Transactions Metadata 网络基础 In addition to all the nice things supported by the .net framework, WSE added security at the foundation level. It also added TCP and Custom transport at the transport level. Messaging XML … 传输层 HTTP TCP Custom

WSE 3.0网络服务 建立在.NET平台上 定义Policy attribute [WebService(Namespace="Microsoft.TechEdChina.WebServices")] [Microsoft.Web.Services3.Policy(“MyServerPolicy”)] public class WSE_asmx { [WebMethod] public string HelloWorld () return “Hello World!”; }  } WSE 3.0 Web Services is built on top of .net framework. It uses policy attribute to define security on both the sending and receiving ends.

Connected Applications WCF网络服务 应用软件层 Connected Applications Business Process Management … Security Reliability Transactions Metadata 网络基础 WCF web services provides a foundation for writing secure, reliable, transacted service. Messaging XML … 传输层 HTTP TCP Custom

WCF Web Services 全新的 Web Service 界面 ServiceContract, OperationContract attributes [ServiceContract] Public interface IHelloService { [OperationContract] string Hello(); } public class HelloService : IHelloService public string Hello () return “Hello”; }  WCF defines a brand new programming model. It uses ServiceContract and OperationContract attributes for the actual web services calls.

为什么会有WSE? 基本的 ASPNET 无法满足工业界对网络安全越来越多的需求 WCF 又需要有较长的时间来完成, 至今仍未正式发行 Why do we have WSE? Basic web services features provided by ASPNET can’t satisfy the increasing demand for writing safe and sound web services from the industry. However, due to the magnitude of WCF product, it will take a while to release. In the meanwhile, WS-* specification needs to have a real MS product to support. That is how WSE project started. 2003年2月 2004年7月 2005年11月 时间

WSE 3.0 – 安全 (Security) WSE = Security 所支持的安全令牌 Username x. 509 Certificate Kerberos token SecurityContextToken DerivedKeyToken Issued Token ( SAML ) Custom Token WSE 3.0 – security WSE = Security Security Tokens supported by WSE: username, x509 certificate, Kerberos token, SecurityContextToken, DerivedKeyToken, IssuedToken, Custom tokens, etc.

WSE 3.0 -安全 (Security) WSE 所支持的最常见的网络安全实例: UsernameForCertificate AnonymousForCertificate UsernameOverTransport Kerberos (Windows) MutualCertificate10 and MutualCertificate11 WSE 3.0 supports six most common web services scenarios: UsernameForCertificate AnonymousForCertificate UsernameOverTransport Kerberos MutualCertificate10 and MutualCertificate11

生活实例-客户端的U/P+服务器的Cert Internet Intranet Username/Password 用于身份验证 用server certificate来保护由用户 提供的symmetric key,然后再用 这symmetric key来保护request Application Server Example – The client uses Username token, and the server uses x.509 Certificate 用先前的symmetric key 来保护response 验证 username/ Password

演示-客户端的U/P+服务器的Cert WSE 3.0 Policy Assertion: UsernameForCertificate Demo: UsernameForCertificate C:\TechEdChina\Wse3Demos\WSSecurityUsername\Policy\

… and an output Pipeline WSE 3.0 - Policy 每个Policy assertion 改变传输的信息 Policy 定义了一系列 Policy Assertions Input Soap Message Tracing Security Custom 运行用户 定义的程序 Output Soap Message Traci ng Security Custom WSE 3.0 – Policy The diagram shows how the policy describes both the input pipeline and output pipeline. Each policy assertions then transform the message in some way, after the message goes through all the filters inside the input pipeline, then it will go through the application processing to generate the response message. Finally the response will go through all the filters in the output pipeline. … and an output Pipeline

Policy文件是用于定义网络安全的 <anonymousForCertificateSecurity establishSecurityContext="false" … messageProtectionOrder="SignBeforeEncrypt" requireDerivedKeys="true" ttlInSeconds="300"> <serviceToken> <x509 …/> </serviceToken> <protection> <request signatureOptions=“…" encryptBody="true" /> <response signatureOptions=“…" encryptBody="true" /> <fault signatureOptions=“…" encryptBody="false" /> </protection> </anonymousForCertificateSecurity> Policy file is like a super configuration file for security. This shows an example of a policy file used in WSE 3.0

演示- Policy Wizard 如何用policy Wizard工具轻松地将网络安全加入到一个简单的ASMX Web Service中 Demo – Policy Wizard This shows how easy it is to use policy wizard to add security to a simple ASMX web service. C:\TechEdChina\Wse3Demos\Tools\WseConfigEditor3.exe

WSE 3.0 - Diagnostics 如何看到最终被传输的信息: <diagnostics> <trace enabled=“true” input=“in.xml” output=“out.xml” /> </diagnostics> 出错后如何看到 stack trace: WSE 3.0 – Diagnostics How to turn on message trace in WSE? One simple switch in the configuration file does the magic, see configuration above. How to turn on the stack trace in WSE when error happens? One simple switch in the configuration file does the magic, see configuration above. <diagnostics> <stackTrace enabled=“true” /> </diagnostics>

WSE 3.0 – 工具(Tools) 与 Visual Studio 2005 紧密结合 单独的工具(Standalone Tools) Add Web Reference/Update Web Reference WSE Settings button 单独的工具(Standalone Tools) WseWsdl3.exe WseConfigEditor3.exe X509Certificate3.exe WSE tools Seamlessly integrate with Visual Studio 2005: Add Web Reference/UpdateWebReference are modified so that a WSE-enabled proxywill be generated, a WSE Setting button was added to the context box when you right click on the VS project. Standalone tools: WseWsdl3.exe, WseConfigEditor3.exe, X509Certificate3.exe

从 WSE 3.0 到 WCF - Interop 怎样的WSE 3.0 App才容易和WCF相互操作呢? 用容易与WCF相互操作的ASMX Services: 简单的 schemas 与Basic Profile兼容的 SOAP 1.1 用WSE所支持的policy assertions Http比TCP容易 尽量不要用: rpc/encoded SOAP Extensions From WSE 3.0 to WCF – the interop story How to write a WSE 3.0 app which can easily interop with the upcoming WCF? Write ASMX Service which is easy to interop: easy schemas, compliant with Basic Profile, use soap 1.1 Use those six out of box policy assertions supported by WSE 3.0 Use HTTP instead of TCP Try to avoid rpc/encode or soap extension

与WSE 3.0 interop的WCF binding CustomBinding with WSS 1.0 可与 WSE 3.0 UsernameOverTransport, MutualCertificate10 Interop WSE 3.0 turnkey Policy Security Assertions WCF custom binding Security Configuration UsernameOverTransport <usernameOverTransportSecurity /> <security messageSecurityVersion=“WSSecurity10WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10” authenticationMode=“UsernameOverTransport” </security> <textMessageEncoding messageVersion=“Soap12WSAddressingAugust2004” /> MutualCertificate10 <mutualCertificate10 /> <security messageSecurityVersion=“WSSecurity10WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10” authenticationMode=“MutualCertificate” Those six out of box WSE turnkey policy assertions can be easily interop with WCF WCF’s custom binding with 2004/08 addressing version and wss 10 security version can interop with WSE 3.0’s UsernameOverTransport assertion, as well as MutualCertificate10 assertion

与WSE 3.0 interop的WCF binding CustomBinding with default security version 可与 WSE 3.0 其余的 Policy Security Assertions Interop WSE 3.0 Turnkey Policy Security Assertions WCF customBinding Security Configuration UsernameForCertificate <usernameForCertificate /> <security authenticationMode=“UsernameForCertificate”/> <textMessageEncoding messageVersion=“Soap12WSAddressingAugust2004” /> AnonymousForCertificate <anonymousForCertificate /> <security authenticationMode=“AnonymousForCertificate”/> Kerberos <kerberos /> <security authenticationMode=“Kerberos”/> MutualCertificate11 <mutualCertificate11 /> <security authenticationMode=“MutualCertificate”/> Those six out of box WSE turnkey policy assertions can be easily interop with WCF 2. CustomBinding can interop with the rest of WSE policy assertions Soap 12 can be replaced by Soap 11

演示- Interop 客户端: WSE 3.0 服务器: WCF AnonymousForCertificate Demo- Interop Client: WSE 3.0 Server: WCF Scenario: AnonymousForCertificate C:\dd\Indigo_WAP\ddsuites\src\indigo\Suites\Security\Interop\Client\WSE\WSE.sln Make sure .svc is registered C:\WINDOWS\Microsoft.NET\Framework\v2.0.x86chk\aspnet_isapi.dll GET,HEAD,POST,DEBUG

从 WSE 3.0 到 WCF - Migration 可将WSE policy assertions 对应到 WCF binding <policies> <policy name=“MyPolicy"> <usernameForCertificate protectionOrder="SignBeforeEncrypt" deriveKeys="true“/> </policy> </policies> <customBinding> <binding name=“MyBinding"> <security authenticationMode=“UsernameForCertificate" MessageProtectionOrder="SignBeforeEncrypt“ requireDerivedKeys="true”/> </binding> </customBinding> From WSE 3.0 to WCF – Migration It is easy to map WSE turn key policy assertion to WCF custom binding or basichttpbinding as described in the previous slides;

演示- Migration 客户端: WSE policy file WCF binding AnonymousForCertificate Demo- migration Client/Server: programmatically use existing policy file to generate WCF binding Scenario: AnonymousForCertificate C:\dd\Indigo_WAP\ndp\indigo\samples\sdk\Current\TechnologySamples\Basic\Client\Interop\WSE\WSEInteropBinding\CS\

从 WSE 3.0 到 WCF - MTOM MTOM ( Message Transmission Optimization Mechanism ) 是一种传输附件的方式. 它便捷, 高效，已为业界广泛地使用。 WSE: MTOM 只是一个Config switch <messaging> <mtom clientMode=“On“ serverMode=“optional“/> </messaging> WCF: MTOM是binding的一部分 From WSE 3.0 to WCF – MTOM Enable MTOM in WSE can be simply a switch in the messaging configuration section or a property on the proxy code MTOM in WCF is part of encoding binding element, can be done both in code or config <binding name=“MyBinding"> <mtomMessageEncoding> </mtomMessageEncoding> </binding>

从 WSE 3.0 到 WCF – Secure Conversation Secure Conversation是一种加快传输安全信息的手段. 它主要是采用了Symmetric Key技术，对传递多条信息极为有利。 WSE: SC是policy的一个attribute <policies> <policy name=“MyPolicy"> <usernameForCertificate establishSecurityContext=“true" /> </policy> </policies> From WSE 3.0 to WCF – Secure Conversation WSE: SC can be enabled by establishSecurityContext attribute in policy WCF: SC can be enabled by establishSecurityContext attribute in binding WCF: SC是binding的一个attribute <binding name=“MyBinding"> <security mode = “Message” > <message establishSecurityContext=“true” /> </security> </binding>

从 WSE 3.0 到 WCF – Custom Policy Assertion WSE:Custom Policy Assertion是Policy Extension <policies> <extensions> <extension name=“MyAssertion” type=“MyType, MyDLL” /> <extensions/> <policy name = “myServerPolicy”> <MyAssertion>…</MyAssertion> </policy> </policies> WCF: custom binding element From WSE to WCF – Custom policy assertion Custom policy assertion in WSE can be translated into custom binding element in WCF. <bindingElementExtension> <add name=“MyEncoder” type=“MyType, MyDLL” /> </bindingElementExtension> <binding name=“MyBinding"> <myMessageEncoding>…</myMessageEncoding> </binding>

从 WSE 3.0 到 WCF – Custom Security Token WSE: Security Token Manager <security> <securityTokenManagers> <add tokenType=“..” type=“MyToken, MyDLL” /> </securityTokenManagers> </security> WCF: ServiceCredential / ClientCredential From WSE 3.0 to WCF – Custom Security Token Custom security token in WSE can be translated into custom token as well. See the code snippet above for the OM. seviceCredentials credentials = new CustomCredetials(); … Host.Description.Behaviors.Remove(typeof(ServiceCredentials)); Host.Description.Behaviors.Add(credentials);

总结 ASPNET为您奠定了Xml Web Services的基础; WSE 3.0为您提供了Secure Web Services良好的开端; WCF将最终帮助您实现高效,便捷及可靠的全新的Web Services 在去年年底发行的WSE3.0, 有以下几个主要功能: Security Policy Diagnostics Tools 如果您已采用了WSE 3.0来帮助提高您的网络安全, 那么它将与即将发行的WCF兼容 ( interop ) 如果您想在WCF发行后, 由WSE 3.0上升至WCF, 那么您也将很轻松地完成这个任务 Summary: ASPNET lay out the basic things for writing a simple Xml Web Services; WSE 3.0 helps you to start writing a secure web services; and WCF will finally enables you to write fast, secure, reliable, and transacted web services; WSE 3.0 major features include security, policy, diagnosis and tools. If you have already adopted WSE 3.0, then it will interop with the upcoming WCF release Migrating from WSE 3.0 app to the WCF app should be relatively straight forward.

相关链接 在此次大会期间 您想更深入地了解WCF吗？您想零距离接触将要发行的WCF吗? 欢迎参加有关Windows Communication Foundation (“Indigo”)的讲座(CON210) 在此次大会之后 访问与WSE 3.0相关的网站: http://msdn.microsoft.com/webservices/webservices/building/wse/ 访问与WSE 3.0相关的博客: Mark Fussell: http://blogs.msdn.com/mfussell/ Hongmei Ge: http://blogs.msdn.com/hongmeig/default.aspx Resources During this conference, please go to another talk on WCF ( Con210 ) After this conference, please visit WSE 3.0 official web site, and also there are some useful blogs on WSE.

问与答？(Q&A) Q/A