Download presentation
Presentation is loading. Please wait.
1
1 WS-Security Yosi Taguri http://blogs.msdn.com/yosit Microsoft Israel yosit@microsoft.com
2
WS-Security Yosi Taguri yosit@microsoft.comhttp://blogs.msdn.com/yosit.NET Platform Group Microsoft Israel
3
Agenda WSE Basics Security Tokens IntegrityConfidentiality Making It All Sing Together How do I write WS-Security code faster
4
Protocol domains AdvancedProtocols Internet Transports Security Messaging Transactions Metadata SOAP, XML, WSDL Reliable Messaging
5
Web Service Enhancements WSE offers initial support for new protocols “Close to the metal” implementation Application model left to the developer WSE intended for early adopters Supported, but for 2+1 years Expect to migrate… WSE 2.0 Tech Preview now available
6
WSE and interoperability WSE's protocols are not yet widely implemented Some interop with some kits (WebSphere) Does not interop with arbitrary toolkits There is no standard mechanism for describing protocol usage in WSDL Must know what other end of pipe is doing WS-Policy intended to address this WSE most useful in enterprise or with key partners
7
WSE 1.0 Simple framework layered on ASP.NET Web Services Support for… WS-SecurityWS-Routing/ReferralWS-Attachments/DIME
8
WSE 2.0 Tech Preview Extended security support WS-SecureConversation, WS-Trust Improved token management Protection from replay attacks New WS-Policy support Extended messaging support WS-Addressing supplants WS-Routing
9
ASP.NET and WSE ASP.NET provides support for basic Web services Only the base-line protocols Only RPC programming model Web Services Enhancements (WSE) add-on provides advanced features on top of ASP.NET Latest protocols, like WS-Security A messaging programming model
10
How WSE works Core WSE functionality implemented as input and output filters ClientServer OutputFilters InputFilters InputFilters OutputFilters
11
What the IO filters do WSE’s input and output filters map protocols to and from SOAP messages Protocol info modeled by SoapContext Output filters use SoapContext info to update outbound message Input filters use inbound message to update SoapContext info
12
Pipeline SpecificProtocolproperties Output filters SoapWeb-Request Soap-Context BasicSOAPmessage SOAPmessage with protocols applied Output Filter
13
Pipeline Input filters SpecificProtocolproperties SoapWeb-Response Soap-Context BasicSOAPmessage SOAPmessage with protocols applied Input Filter
14
The Pipeline Use of IO filters encapsulated by pipeline class Pipeline plumbing used by higher-level proxy/service code Pipeline can be extended with custom filters Pipeline can be configured per-proxy or per- process
15
Server integration WebServicesExtension uses pipeline to filter SOAP messages Input filters process request messages Output filters process response messages RequestSoapContext.Current exposes protocol settings of last message received ResponseSoapContext.Current exposes protocol settings for next message sent
16
Pipeline Web Service Server integration WebServicesExtension Http-ResponseSoap-Context Http-Context Http-RequestSoap-Context Input Filter Output Filter HttpContext.Current RequestSoapContext.Current ResponseSoapContext.Current
17
Proxy integration WebServicesClientProtocol is new proxy base class Output filters process request messages Input filters process response messages RequestSoapContext property exposes protocol settings for next message sent ResponseSoapContext property exposes protocol settings for last message received
18
Pipeline ProxyClass Proxy integration WebServices-ClientProtocol SoapWeb-Request SoapWeb-Response SoapContext SoapContext RequestSoapContext ResponseSoapContext Output Filter Input Filter
19
Proxy integration static void Main() { // create WebServicesClientProtocol-derived // proxy class // create WebServicesClientProtocol-derived // proxy class TimeServiceWse proxy = new TimeServiceWse(); TimeServiceWse proxy = new TimeServiceWse(); // WebServiceClientProtocol gives pipeline // WebServiceClientProtocol gives pipeline // a chance to filter messages // a chance to filter messages Console.WriteLine(proxy.GetTime()); Console.WriteLine(proxy.GetTime());}
20
WS-Security Defines a framework for building security protocols using existing protocols Propagation of security tokens Integrity via XML Signature Confidentiality via XML Encryption Framework designed for end-to-end security of SOAP messages From initial sender, through 0-n intermediaries to ultimate receiver
21
Security Tokens Tokens represent claims about identity, capabilities, or privileges WS-Security provides constructs for transmitting security tokens Supports text and binary tokens OASIS WS-Security TC producing several token profiles Username/Password, X509, Kerberos, SAML, XrML
22
Security Tokens
23
UsernameToken UsernameToken contains a username and password Password is optional and can be passed as plaintext or digest Plaintext is BAD unless token is encrypted Digest not much better, token should still be encrypted Best to encrypt token for recipient By default authenticated with windows Only capable to Sign and not Encrypt
24
Where are we Authentication and Authorization is tightly coupled in WSE and integrated with windows Messages are still unsigned
25
Message Integrity How do you know message has not been altered? Bad guy could copy token into another message Bad guy could altering timestamp, headers, body of message Parts of a message can be signed to ensure integrity Based on XML Signature (XMLDSIG)
26
Integrity, sender I want to send a SOAP message and ensure that the body is not modified I generate a digest of the SOAP body I generate a signature over the digest (and some other info) using my private key I include my public key in a security token
27
Integrity, receiver You want to check that the body of the message was not modified You generate a digest for the SOAP body You compare your digest and the one in the message You check that the signature is valid using my public key As a side-effect, you know the message was from me
28
Message confidentiality How do you know message hasn't been read? Bad guy can read XML payload anywhere along the wire Parts of a message can be encrypted to ensure confidentiality Based on XML Encryption (XMLENC)
29
I want to send a SOAP message and ensure that only you can read the content of the body I generate a symmetric key I encrypt that key using your public key I encrypt the content of the body using the symmetric key I include both the encrypted data and encrypted key in the message Confidentiality, sender
30
Confidentiality, receiver You want to read the encrypted content of the body You decrypt the symmetric key using your private key You decrypt the content of the body using the symmetric key
31
Trust
32
Validating a Security Token
33
Using An Issued Security Token
34
Secure Conversation
35
Policy
36
Summary Not all security tokens are created equal Make sure your tokens can do what you want them to do Design with WSE in mind – it is the future Soap, Soap, Soap
37
Resources MSDN Web Services Developer Center http://msdn.microsoft.com/webservices
38
Questions?
39
© 2003-2004 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.
Similar presentations
© 2025 SlidePlayer.com. Inc.
All rights reserved.