Login | Register   
Twitter
RSS Feed
Download our iPhone app
TODAY'S HEADLINES  |   ARTICLE ARCHIVE  |   FORUMS  |   TIP BANK
Browse DevX
Sign up for e-mail newsletters from DevX


advertisement
 

WSE 2.0: Get Your .NET Web Services Security Up to Spec : Page 5

Microsoft's Web Services Enhancements for .NET (WSE) 2.0 toolkit improves existing specifications such as WS-Security. This article examines its WS-Security improvements and shows how you can upgrade your Web services to WSE 2.0.


advertisement
Encrypting SOAP Messages
When you sign a SOAP message, you can assure that no one alters it. But a smart snoop can see the content of the message. To prevent this, you can encrypt your SOAP message so that no one can read its contents.

The WSE provides the functionality to encrypt both the request to the Web service and the response back to the client. When you use a X.509 certificate, the sender encrypts the message with the public key of the sender's X.509 certificate. Then the receiver uses his own private key of the X.509 certificate to decrypt the message.

To encrypt a SOAP message, the WSE provides the class EncryptedData. The following listing shows how you can use this class to encrypt a Web service call:



public void EncryptedWebServiceCall() { PDCRegistration proxy = new PDCRegistration(); SoapContext requestContext = proxy.RequestSoapContext; X509SecurityToken token = GetEncryptionToken(); if (token == null) throw new Exception( "X.509 certificate couldnt be found!"); SignupRequest request = new SignupRequest(); request.Name = "Klaus Aschenbrenner"; request.Address = Microsoft One Way"; request.CreditCardNumber = "123"; requestContext.Security.Elements.Add( new EncryptedData(token)); SignupResponse response = proxy.SignupForPDC(request); Console.WriteLine(response.RegistrationNumber); } private void X509SecurityToken GetEncryptionToken() { // See function GetSigningToken() of the last // listening... }

When you encrypt a SOAP message, then the content of the SOAP header changes: within the section <wsse:Security>, a new section called <xenc:EncrytedKey> is created. This section contains all the information needed to encrypt the SOAP message. Furthermore, you again can find a reference list (<xenc:ReferenceList>) that contains links to the elements of the SOAP message, which are encrypted.

The default behavior is that the body of the SOAP message is encrypted. As you have seen previously, the password of the UsernameToken must be sent in plain text when you want to authorize the user of a request against a windows group. With encryption, you can now encrypt a UsernameToken with a X.509 certificate. The following listing shows how you can encrypt a UsernameToken, which contains the password in plain text:

public void EncryptUsernameToken() { PDCRegistration proxy = new PDCRegistration(); SoapContext requestContext = proxy.RequestSoapContext; X509SecurityToken token = GetEncryptionToken(); if (token == null) throw new Exception( "X.509 certificate couldnt be found!"); SignupRequest request = new SignupRequest(); request.Name = "Klaus Aschenbrenner"; request.Address = Microsoft One Way"; request.CreditCardNumber = "123"; UsernameToken userToken = new UsernameToken( "John Doe", "password", PasswordOption.SendPlainText); requestContext.Security.Tokens.Add(userToken); requestContext.Security.Elements.Add( new EncryptedData(userToken); requestContext.Security.Elements.Add( new EncryptedData(token, "#" + userToken.Id); SignupResponse response = proxy.SignupForPDC(request); Console.WriteLine(response.RegistrationNumber); } private void X509SecurityToken GetEncryptionToken() { // See function GetSigningToken() of the last // listening... }

The Future Is Blue: Indigo
Microsoft took the experience it gained from WS Enhancements and applied it to the next version of the .NET Enterprise Services (codenamed Indigo). Indigo was first presented at the PDC 2003 in Los Angeles. Indigo will be an integrative, extensible framework for distributed applications based on the .NET Framework and Web services. Indigo is based on the WS-* specifications and it also can work together with other platforms like Java. The following list shows the design goals of Indigo:

  • Indigo should help ISVs implement and deploy Web services very easily.
  • Indigo provides a declarative programming model for implementing powerful Web services. For example, you need only one attribute to make a Web service call reliable!
  • Indigo provides an implementation of the WS-* specifications.
  • Indigo will combine the best features of .NET remoting, MSMQ, and of the .NET Enterprise Services.
  • Any code developed today can be used in Indigo without any big changes.

Indigo will be released in between the release of Visual Studio Whidbey and Windows Longhorn and will be available on Windows 2000, Windows XP, and Windows 2003 Server as an additional download.

This article has examined the new security features in WS-Enhancements. In the current implementation, the WSE provides a lot of functions to ensure a secure message exchange between the sender and the receiver. Since WSE is a playground for the upcoming Indigo, you'll find it very useful to play around with the WSE, gain experience, and then apply this experience when Indigo is released. Stay tuned...



Klaus Aschenbrenner is a consultant, software architect, and coach for TechTalk in Vienna, Austria. He helps software architects and developers design and implement enterprise solutions based on the .NET Framework and Web services.
Comment and Contribute

 

 

 

 

 


(Maximum characters: 1200). You have 1200 characters left.

 

 

Sitemap