Login | Register   
LinkedIn
Google+
Twitter
RSS Feed
Download our iPhone app
TODAY'S HEADLINES  |   ARTICLE ARCHIVE  |   FORUMS  |   TIP BANK
Browse DevX
Sign up for e-mail newsletters from DevX


advertisement
 

.NET Web Services Security : Page 5

.NET has a lot to offer when it comes to both developing and consuming secure Web services. .NET allows developers to either rely on Windows-based authentication or develop custom authentication mechanisms. Each option has its own tradeoffs and implications on the programming models.


advertisement
SOAP Extensions
Using SOAP extensions is an advanced way a Web service developer can intercept all calls coming into the service and perform custom pre- and post-call processing. The Web service client can also interact with the SOAP extension, and provide custom pre-and post-call processing. For example, you can use SOAP extensions to compress the SOAP payload and to encrypt the information. Note that using SOAP extensions for payload encryption raises some interesting challenges, such as key distribution. In general, relying on SSL is a lot easier than developing a SOAP extension, especially for a public service.

You can also use SOAP extensions to transport the caller's credentials. If you encrypt the payload as well, there is no need for secure channels. Developing a real-life SOAP extension involves a non-trivial amount of work. In practice, the use of SOAP extensions assumes a .NET client interacting with a .NET service, because other development platforms have very little or no support for it.

This article only provides a brief mention of SOAP extensions, as a full discussion of this topic would merit an article in its own right.

Comparing the Options
This article described three Windows-based and five custom authentication techniques for Web services. Obviously, there are many more permutations and variations on this theme. Table 1 lists the authentication options I discussed.

Table 1: Comparing Windows-based and custom authentication techniques for Web services.

Authentication Method

Password Sent in Clear Text



Requires Windows

Authenticate on First Call Only

Basic Authentication

Yes

No

Yes

Digest Authentication

No

No

Yes

Integrated Authentication

No

Client/Server

Yes

Log-in method

Yes

No

Yes

SOAP header

Yes

No

No

SOAP header with cookie

Yes

No

Yes

SOAP extension

Yes

Client/Server

Depends

SOAP extension with encryption

No

Client/Server

Depends


Here are the main points to consider when choosing an authentication mechanism:

  • Is the password sent in clear text and therefore requires HTTPS?
  • What are the platform requirements on both the client and the server side?
  • When does authentication take place, on the first call only, or on every call? What are the throughput implications of that?
My own recommendation is that whenever possible, you should choose Windows authentication over custom authentication to minimize the amount of work involved in developing the Web service. If you do need a custom solution, I would opt for the log-in method factored to a base class. It is trivial to apply, it results in clear declarative security for the Web methods, and it is intuitive and easy for the client to use. In addition, it is easier to call a method than to use a SOAP header or extension, especially if the client platform, such as legacy Visual Basic 6.0, does not have native support for SOAP headers or extensions.

No doubt, support for Web services security will become much more powerful and integrated in future versions of .NET, especially once the standards are finalized and adopted. However, you should not wait for that day to come. Armed with the techniques shown in this article, you can deploy and consume secure .NET Web services now.



Juval Löwy is a software architect and the principal of IDesign, a consulting and training company focused on .NET design and .NET migration. His latest book is Programming .NET Components (O'Reilly, 2003). Juval is Microsoft's Regional Director for the Silicon Valley, helping the industry adopt .NET. Juval is a frequent speaker at the major international software development conferences. Contact him at www.idesign.net.
Comment and Contribute

 

 

 

 

 


(Maximum characters: 1200). You have 1200 characters left.

 

 

Sitemap
Thanks for your registration, follow us on our social networks to keep up-to-date