1. Web Services Security with Visual Studio 2005 Muhammad Saqib Ilyas muhammad.saqib@ineta.org

2. Speaker.Bio.ToString() Assistant Professor, N.E.D. University Country Leader, INETA Pakistan MVP IEEE Student Branch Counselor Secretary/Treasurer IEEE Communications Society, Karachi Chapter Member IEEE Karachi Section Executive Committee

3. Agenda Indigo programming model Sample code Indigo security model Sample code

4. Indigo What is indigo? Next generation distributed application development tools

5. Model Service EP1 EP2 Metadata Network Consumer EP

6. Indigo components Network Service Consumer Endpoint (the only way to get to a service) No need to share Metadata defines endpoints

7. ABC of Indigo Address – How do you get to the endpoint (transport dependent) Binding – controls transport, encoding and protocols (can evolve) Contract – specification of operations and messages

8. Obtaining Indigo Download and install, “Avalon and Indigo Beta 1 RC” Install Visual Studio 2005 Beta 2 Install WinFX SDK Add reference to System.ServiceModel.dll using System.ServiceModel

9. Indigo programming model Services can be: –self hosted –Hosted in IIS –WAS Use [ServiceContract] attribute with contract definition Use [OperationContract] attribute with contract implementation

10. Indigo programming model BasicProfileBinding – Legacy XML Web Services ServiceHost<> AddEndPoint() Open() Iterate ServiceEndPoints ChannelFactory<> CreateChannel() Close() on ChannelFactory and ServiceHost

11. Indigo security Indigo security: –Secures message exchange between entities –Secures access to resources by entities –Records requests to resources by entities

12. Entity, Resources Entity: a software, a person etc Resource: something to do something with Credentials are used to achieve the goals

13. Credential Claims –Information about an entity –Used for controlling access to resources Issuer –Certifies claims about an entity in the credentials Proof of possession –How an entity proves that it provided the claims –Used to secure message exchange

14. Indigo goals Integrity –Signing messages –May use sender credentials Confidentiality –Encryption –Uses recipient credentials

15. Secure by default Standard bindings are secure –Except for BasicProfileBinding Security mode: –Transport: underlying transport is secure –Message: WS-Security protocols Protection level –None –Sign (integrity) –Sign and encrypt (integrity + confidentiality)

16. Resource access security Gates enforce security permissions Multiple supported security gates –Host (file or URL level) –Operation contract (message level) –Application resources

17. Recording access Windows XP: application log Windows 2003: security log Not yet!

18. Code using System.ServiceModel; using System.Security.Permissions; using System.Security.Principal; using System.Net.Security; using System.Security.Cryptography.X509Certifi cates;

19. Links http://msdn.microsoft.com/webservices http://msaqib.blogspot.com http://www.saqibilyas.info MSDN Avalon