Web Services Security with Visual Studio 2005 Muhammad Saqib Ilyas

Speaker.Bio.ToString() Assistant Professor, N.E.D. University Country Leader, INETA Pakistan MVP IEEE Student Branch Counselor Secretary/Treasurer IEEE Communications Society, Karachi Chapter Member IEEE Karachi Section Executive Committee

Agenda Indigo programming model Sample code Indigo security model Sample code

Indigo What is indigo? Next generation distributed application development tools

Model Service EP1 EP2 Metadata Network Consumer EP

Indigo components Network Service Consumer Endpoint (the only way to get to a service) No need to share Metadata defines endpoints

ABC of Indigo Address – How do you get to the endpoint (transport dependent) Binding – controls transport, encoding and protocols (can evolve) Contract – specification of operations and messages

Obtaining Indigo Download and install, “Avalon and Indigo Beta 1 RC” Install Visual Studio 2005 Beta 2 Install WinFX SDK Add reference to System.ServiceModel.dll using System.ServiceModel

Indigo programming model Services can be: –self hosted –Hosted in IIS –WAS Use [ServiceContract] attribute with contract definition Use [OperationContract] attribute with contract implementation

Indigo programming model BasicProfileBinding – Legacy XML Web Services ServiceHost<> AddEndPoint() Open() Iterate ServiceEndPoints ChannelFactory<> CreateChannel() Close() on ChannelFactory and ServiceHost

Indigo security Indigo security: –Secures message exchange between entities –Secures access to resources by entities –Records requests to resources by entities

Entity, Resources Entity: a software, a person etc Resource: something to do something with Credentials are used to achieve the goals

Credential Claims –Information about an entity –Used for controlling access to resources Issuer –Certifies claims about an entity in the credentials Proof of possession –How an entity proves that it provided the claims –Used to secure message exchange

Indigo goals Integrity –Signing messages –May use sender credentials Confidentiality –Encryption –Uses recipient credentials

Secure by default Standard bindings are secure –Except for BasicProfileBinding Security mode: –Transport: underlying transport is secure –Message: WS-Security protocols Protection level –None –Sign (integrity) –Sign and encrypt (integrity + confidentiality)

Resource access security Gates enforce security permissions Multiple supported security gates –Host (file or URL level) –Operation contract (message level) –Application resources

Recording access Windows XP: application log Windows 2003: security log Not yet!

Code using System.ServiceModel; using System.Security.Permissions; using System.Security.Principal; using System.Net.Security; using System.Security.Cryptography.X509Certifi cates;

Links MSDN Avalon