web services security with visual studio 2005 muhammad saqib ilyas muhammad.saqib@ineta.org

Web Services Security with Visual Studio 2005

Muhammad Saqib Ilyas

muhammad.saqib@ineta.org

Speaker.Bio.ToString()

• Assistant Professor, N.E.D. University

• Country Leader, INETA Pakistan

• MVP

• IEEE Student Branch Counselor

• Secretary/Treasurer IEEE Communications Society, Karachi Chapter

• Member IEEE Karachi Section Executive Committee

Agenda

• Indigo programming model

• Sample code

• Indigo security model

• Sample code

Indigo

• What is indigo?

• Next generation distributed application development tools

Model

Service

EP1

EP2

MetadataNetw

ork

ConsumerEP

Indigo components

• Network

• Service

• Consumer

• Endpoint (the only way to get to a service)

• No need to share

• Metadata defines endpoints

ABC of Indigo

• Address – How do you get to the endpoint (transport dependent)

• Binding – controls transport, encoding and protocols (can evolve)

• Contract – specification of operations and messages

Obtaining Indigo

• Download and install, “Avalon and Indigo Beta 1 RC”

• Install Visual Studio 2005 Beta 2

• Install WinFX SDK

• Add reference to System.ServiceModel.dll

• using System.ServiceModel

Indigo programming model

• Services can be:– self hosted– Hosted in IIS– WAS

• Use [ServiceContract] attribute with contract definition

• Use [OperationContract] attribute with contract implementation

Indigo programming model

• BasicProfileBinding – Legacy XML Web Services

• ServiceHost<> • AddEndPoint()• Open()• Iterate ServiceEndPoints• ChannelFactory<>• CreateChannel()• Close() on ChannelFactory and ServiceHost

Indigo security

• Indigo security:– Secures message exchange between entities– Secures access to resources by entities– Records requests to resources by entities

Entity, Resources

• Entity: a software, a person etc

• Resource: something to do something with

• Credentials are used to achieve the goals

Credential

• Claims– Information about an entity– Used for controlling access to resources

• Issuer– Certifies claims about an entity in the credentials

• Proof of possession– How an entity proves that it provided the claims– Used to secure message exchange

Indigo goals

• Integrity– Signing messages– May use sender credentials

• Confidentiality– Encryption– Uses recipient credentials

Secure by default

• Standard bindings are secure– Except for BasicProfileBinding

• Security mode:– Transport: underlying transport is secure– Message: WS-Security protocols

• Protection level– None– Sign (integrity)– Sign and encrypt (integrity + confidentiality)

Resource access security

• Gates enforce security permissions

• Multiple supported security gates– Host (file or URL level)– Operation contract (message level)– Application resources

Recording access

• Windows XP: application log

• Windows 2003: security log

• Not yet!

Code

• using System.ServiceModel;

• using System.Security.Permissions;

• using System.Security.Principal;

• using System.Net.Security;

• using System.Security.Cryptography.X509Certificates;

Links

• http://msdn.microsoft.com/webservices

• http://msaqib.blogspot.com

• http://www.saqibilyas.info

• MSDN Avalon