web services security with visual studio 2005 muhammad saqib ilyas [email protected]
TRANSCRIPT
Speaker.Bio.ToString()
• Assistant Professor, N.E.D. University
• Country Leader, INETA Pakistan
• MVP
• IEEE Student Branch Counselor
• Secretary/Treasurer IEEE Communications Society, Karachi Chapter
• Member IEEE Karachi Section Executive Committee
Agenda
• Indigo programming model
• Sample code
• Indigo security model
• Sample code
Indigo
• What is indigo?
• Next generation distributed application development tools
Model
Service
EP1
EP2
MetadataNetw
ork
ConsumerEP
Indigo components
• Network
• Service
• Consumer
• Endpoint (the only way to get to a service)
• No need to share
• Metadata defines endpoints
ABC of Indigo
• Address – How do you get to the endpoint (transport dependent)
• Binding – controls transport, encoding and protocols (can evolve)
• Contract – specification of operations and messages
Obtaining Indigo
• Download and install, “Avalon and Indigo Beta 1 RC”
• Install Visual Studio 2005 Beta 2
• Install WinFX SDK
• Add reference to System.ServiceModel.dll
• using System.ServiceModel
Indigo programming model
• Services can be:– self hosted– Hosted in IIS– WAS
• Use [ServiceContract] attribute with contract definition
• Use [OperationContract] attribute with contract implementation
Indigo programming model
• BasicProfileBinding – Legacy XML Web Services
• ServiceHost<> • AddEndPoint()• Open()• Iterate ServiceEndPoints• ChannelFactory<>• CreateChannel()• Close() on ChannelFactory and ServiceHost
Indigo security
• Indigo security:– Secures message exchange between entities– Secures access to resources by entities– Records requests to resources by entities
Entity, Resources
• Entity: a software, a person etc
• Resource: something to do something with
• Credentials are used to achieve the goals
Credential
• Claims– Information about an entity– Used for controlling access to resources
• Issuer– Certifies claims about an entity in the credentials
• Proof of possession– How an entity proves that it provided the claims– Used to secure message exchange
Indigo goals
• Integrity– Signing messages– May use sender credentials
• Confidentiality– Encryption– Uses recipient credentials
Secure by default
• Standard bindings are secure– Except for BasicProfileBinding
• Security mode:– Transport: underlying transport is secure– Message: WS-Security protocols
• Protection level– None– Sign (integrity)– Sign and encrypt (integrity + confidentiality)
Resource access security
• Gates enforce security permissions
• Multiple supported security gates– Host (file or URL level)– Operation contract (message level)– Application resources
Recording access
• Windows XP: application log
• Windows 2003: security log
• Not yet!
Code
• using System.ServiceModel;
• using System.Security.Permissions;
• using System.Security.Principal;
• using System.Net.Security;
• using System.Security.Cryptography.X509Certificates;
Links
• http://msdn.microsoft.com/webservices
• http://msaqib.blogspot.com
• http://www.saqibilyas.info
• MSDN Avalon