Presentation is loading. Please wait.

Presentation is loading. Please wait.

WEB401 Security Practices for Web Services (Part 2) Keith Ballinger Program Manager XML Messaging Microsoft Corporation.

Published byAileen Crawford Modified over 9 years ago

Similar presentations

Presentation on theme: "WEB401 Security Practices for Web Services (Part 2) Keith Ballinger Program Manager XML Messaging Microsoft Corporation."— Presentation transcript:

1 WEB401 Security Practices for Web Services (Part 2) Keith Ballinger Program Manager XML Messaging Microsoft Corporation

2 Agenda Trusting clients and services Enabling a manageable B2B infrastructure Creating a security context Faster security performance Authoring security policy Removing the need for writing a lot of security code

3 Trust Relationships and identity How do I prove who I am? Who can vouch for me? How do you know you can trust him? These questions are answered with signed security tokens WS-Trust defines a protocol for issuing and obtaining security tokens

4 Trust Several models for issuing tokens Client obtains token Service obtains token for client Etc… Client Token Issuer Service ClientService Token Issuer 2 Token Issuer 1 Client Token Issuer Service

5 Trust Requesting a security token (RST)... Issuing a security token (RSTR)

6 Trust RST is usually signed with a token the token issuer trusts RSTR issues new token Proof of possession token can also returned This token includes a key that the requestor can use to prove he’s allowed to use the issued token

7 Issuing a custom XML-based security token demo demo

8 Secure conversation Token issuing can also occur between two parties Client Service And Token Issuer Typically, this is done to create higher performance security processing WS-SecureConversation is an example

9 Secure conversation WS-SecureConversation details how to issue a SecurityContextToken In WSE, this lightweight token takes the place of a more processing intensive token Client Service And Token Issuer Request for SCT SCT Issued to client Series of messages signed with issued SCT

10 Building a Secure Conversation with WSE demo demo

11 Policy Beyond what WSDL provides, what else is needed to describe a Web service? Security requirements Reliable messaging assurances Protocol versioning Etc… These other attributes of a service can be described with WS-Policy XML-base language Complex:,, etc…

12 Policy <wsp:Policy wsu:Id="message-age"> <wsse:MessageAge wsp:Usage="wsp:Required" Age="5“ />

13 Security policy WS-SecurityPolicy specifies the assertions for expressing requirements related to WS- Security Can be embedded inside the other two

14 Security Policy X509v3 wsp:Body()

15 Role-based security IPrincipal is the.NET interface for role- based authoriztion bool IsInRole(String str) SecurityToken.Principal Implementation of IPrincipal Automatically set for UsernameToken and KerberosSecurityToken Call method explicitly or use Policy

16 Role-Based Authorization using Security Policy demo demo

17 Suggested Reading And Resources The tools you need to put technology to work! TITLE Available Writing Secure Code, Second Edition:0-7356-1722-8 Today Microsoft Press books are 20% off at the TechEd Bookstore Also buy any TWO Microsoft Press books and get a FREE T-Shirt

18 Community Resources http://www.microsoft.com/communities/default.mspx Most Valuable Professional (MVP) http://www.mvp.support.microsoft.com/ Newsgroups Converse online with Microsoft Newsgroups, including Worldwide http://www.microsoft.com/communities/newsgroups/default.mspx User Groups Meet and learn with your peers http://www.microsoft.com/communities/usergroups/default.mspx

19 evaluations evaluations

20 © 2003 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.

Download ppt "WEB401 Security Practices for Web Services (Part 2) Keith Ballinger Program Manager XML Messaging Microsoft Corporation."

Similar presentations

DEV351 ADO.NET Performance Pablo Castro Program Manager – ADO.NET Team Microsoft Corporation.

DEV351 ADO.NET Performance Pablo Castro Program Manager – ADO.NET Team Microsoft Corporation.
Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.

Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.
Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.

Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.
DEV392: Extending SharePoint Products And Technologies Through Web Parts And ASP.NET Clint Covington, Program Manager Data And Developer Services - Office.

DEV392: Extending SharePoint Products And Technologies Through Web Parts And ASP.NET Clint Covington, Program Manager Data And Developer Services - Office.
T-110.5140 Network Application Frameworks and XML Service Federation 30.04.2007 Sasu Tarkoma.

T Network Application Frameworks and XML Service Federation Sasu Tarkoma.
Web Services (ASMX 2.0 and WSE 3.0) Mike Taulty Developer & Platform Group Microsoft Ltd

Web Services (ASMX 2.0 and WSE 3.0) Mike Taulty Developer & Platform Group Microsoft Ltd
OFC324 Microsoft Project Server: Putting Enterprise Project Management (EPM) To Work Sam Brooks www.sambrooks.com.

OFC324 Microsoft Project Server: Putting Enterprise Project Management (EPM) To Work Sam Brooks
DAT304 Leveraging XML and HTTP with Sql Server Irwin Dolobowsky Program Manager Webdata Group.

DAT304 Leveraging XML and HTTP with Sql Server Irwin Dolobowsky Program Manager Webdata Group.
X.509 Certificate management in.Net By, Vishnu Kamisetty

X.509 Certificate management in.Net By, Vishnu Kamisetty
OFC302 Building Smart Document Solutions in Word & Excel Martin Sawicki Lead Program Manager.

OFC302 Building Smart Document Solutions in Word & Excel Martin Sawicki Lead Program Manager.
DBA230 Introducing SQL Server 2000 Reporting Services Jason Carlson Product Unit Manager SQL Server Microsoft Corporation.

DBA230 Introducing SQL Server 2000 Reporting Services Jason Carlson Product Unit Manager SQL Server Microsoft Corporation.
OFC 322 Building Office Research Web Services: Exposing Corporate Data Through Office Brian Jones Program Manager Authoring Services Martin Sawicki Lead.

OFC 322 Building Office Research Web Services: Exposing Corporate Data Through Office Brian Jones Program Manager Authoring Services Martin Sawicki Lead.
Web Service Standards, Security & Management Chris Peiris www.ChrisPeiris.com.

Web Service Standards, Security & Management Chris Peiris
DEV334 Creating Application Starting Points & Sharing Best Practices with Enterprise Templates Marc Gusmano Director of Emerging Technologies The Information.

DEV334 Creating Application Starting Points & Sharing Best Practices with Enterprise Templates Marc Gusmano Director of Emerging Technologies The Information.
OFC304 Excel 2003 Overview: XML Support Joseph Chirilov Program Manager.

OFC304 Excel 2003 Overview: XML Support Joseph Chirilov Program Manager.
EBZ318 Deploying A Content Management Server 2002 Solution Case Study Daniel Kogan Program Manager Microsoft CMS / E-Biz server Group.

EBZ318 Deploying A Content Management Server 2002 Solution Case Study Daniel Kogan Program Manager Microsoft CMS / E-Biz server Group.
OFC 200 Microsoft Solution Accelerator for Intranets Scott Fynn Microsoft Consulting Services National Practices.

OFC 200 Microsoft Solution Accelerator for Intranets Scott Fynn Microsoft Consulting Services National Practices.
MBL393 Location Aware Devices Chung Webster Application Development Consultant.

MBL393 Location Aware Devices Chung Webster Application Development Consultant.
DEV290 Building Office Solutions with Visual Studio Eric Carter Lead Developer Developer Platform & Evangelism Microsoft Corporation.

DEV290 Building Office Solutions with Visual Studio Eric Carter Lead Developer Developer Platform & Evangelism Microsoft Corporation.
SEC303 Assessing and Managing Privacy in the Enterprise JC Cannon Privacy Strategist.

SEC303 Assessing and Managing Privacy in the Enterprise JC Cannon Privacy Strategist.

Similar presentations

Ads by Google