web401 security practices for web services (part 2) keith ballinger program manager xml messaging...
TRANSCRIPT
WEB401
Security Practices for Web Services (Part 2)
Keith BallingerProgram ManagerXML MessagingMicrosoft Corporation
Agenda
Trusting clients and servicesEnabling a manageable B2B infrastructure
Creating a security contextFaster security performance
Authoring security policyRemoving the need for writing a lot of security code
Trust
Relationships and identityHow do I prove who I am?
Who can vouch for me?
How do you know you can trust him?
These questions are answered with signed security tokens
WS-Trust defines a protocol for issuing and obtaining security tokens
Trust
Several models for issuing tokens
Client obtains token
Service obtains token for client
Etc…
Client
Token Issuer
Service
Client Service
TokenIssuer 2
TokenIssuer 1
Client
TokenIssuer
Service
Trust
Requesting a security token (RST)<RequestSecurityToken>
<TokenType>...</TokenType> </RequestSecurityToken>
Issuing a security token (RSTR)<RequestSecurityTokenResponse>
<TokenType /> <wsp:AppliesTo />
<RequestedSecurityToken/> <RequestedProofToken /> </RequestSecurityTokenResponse>
Trust
RST is usually signed with a token the token issuer trusts
RSTR issues new tokenProof of possession token can also returned
This token includes a key that the requestor can use to prove he’s allowed to use the issued token
Issuing a custom Issuing a custom XML-based security XML-based security tokentoken
demodemo
Secure conversation
Token issuing can also occur between two parties
Client
ServiceAnd
TokenIssuer
Typically, this is done to create higher performance security processing
WS-SecureConversation is an example
Secure conversation
WS-SecureConversation details how to issue a SecurityContextToken
In WSE, this lightweight token takes the place of a more processing intensive token
Client
ServiceAnd
TokenIssuer
Request for SCTRequest for SCT
SCT Issued to clientSCT Issued to client
Series of messages Series of messages
signed with issued SCTsigned with issued SCT
Building a Secure Building a Secure Conversation with Conversation with WSEWSE
demodemo
Policy
Beyond what WSDL provides, what else is needed to describe a Web service?
Security requirements
Reliable messaging assurances
Protocol versioning
Etc…
These other attributes of a service can be described with WS-Policy
XML-base language
Complex: <Or>, <ExactlyOne>, etc…
Policy
<wsp:Policy
wsu:Id="message-age">
<wsse:MessageAge wsp:Usage="wsp:Required" Age="5“
/>
</wsp:Policy>
Security policy
WS-SecurityPolicy specifies the assertions for expressing requirements related to WS-Security
<Integrity>
<Confidentiality>
<SecurityToken>Can be embedded inside the other two
Security Policy
<wsp:Policy wsu:Id="signed-body-x509"> <wsse:Integrity wsp:Usage="wsp:Required" > <TokenInfo> <SecurityToken> <TokenType>X509v3</TokenType> </SecurityToken> </TokenInfo> <MessageParts
Dialect="http://schemas.xmlsoap.org/2002/12/wsse#part"> wsp:Body() </MessageParts> </Integrity> </wsp:Policy>
Role-based security
IPrincipal is the .NET interface for role-based authoriztion
bool IsInRole(String str)
SecurityToken.PrincipalImplementation of IPrincipal
Automatically set for UsernameToken and KerberosSecurityToken
Call method explicitly or use Policy<wse:Role value=“role” />
Role-Based Role-Based Authorization using Authorization using Security PolicySecurity Policy
demodemo
Suggested Reading And Resources
The tools you need to put technology to work!The tools you need to put technology to work!
TITLETITLE AvailableAvailable
Writing Secure Code, Second Writing Secure Code, Second Edition:0-7356-1722-8Edition:0-7356-1722-8 TodayToday
Microsoft Press books are 20% off at the TechEd Bookstore
Also buy any TWO Microsoft Press books and get a FREE T-Shirt
Community Resources
Community Resourceshttp://www.microsoft.com/communities/default.mspx
Most Valuable Professional (MVP)http://www.mvp.support.microsoft.com/
NewsgroupsConverse online with Microsoft Newsgroups, including Worldwidehttp://www.microsoft.com/communities/newsgroups/default.mspx
User GroupsMeet and learn with your peershttp://www.microsoft.com/communities/usergroups/default.mspx
evaluationsevaluations
© 2003 Microsoft Corporation. All rights reserved.© 2003 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.This presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.