Contents Overview 1 Overview of Security 2 Built-In Authentication 11 Custom Authentication: SOAP Headers 21 Authorization: Role-Based Security 27 Authentication: Code Access Security 35 Encryption 43 Lab 7: Securing Web Services 51 Review 64 Module 7: Securing Web Services Information in this document, including URL and other Internet Web site references, is subject to change without notice. Unless otherwise noted, the example companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious, and no association with any real company, organization, product, domain name, e-mail address, logo, person, places or events is intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation. Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property.  2001 Microsoft Corporation. All rights reserved. Microsoft, MS-DOS, Windows, Windows NT, Active Directory, Authenticode, Biztalk, Intellisense, Jscript, MSDN, PowerPoint, Visual Basic, Visual C++, Visual C#, Visual Studio, Win32, and Windows Media are either registered trademarks or trademarks of Microsoft Corporation in the U.S.A. and/or other countries. The names of actual companies and products mentioned herein may be the trademarks of their respective owners. Module 7: Securing Web Services iii Instructor Notes This module teaches students how to use the security services of the Microsoft ® Windows ® operating system, Microsoft Internet Information Services (IIS), and the Microsoft .NET Framework and common language runtime to secure Web Services. After completing this module, students will be able to: ! Identify the differences between authentication and authorization. ! Explain how to use the security mechanisms provided by IIS and Windows for authentication. ! Use Simple Object Access Protocol (SOAP) headers for authentication in a Web Service. ! Use role-based security and code access security for authorization in a Web Service. ! Encrypt the communication between a Web Service consumer and a Web Service. Materials and Preparation This section provides the materials and preparation tasks that you need to teach this module. Required Materials To teach this module, you need the Microsoft PowerPoint ® file 2524A_07.ppt. Preparation Tasks To prepare for this module: ! Read all of the materials for this module. ! Practice all of the demonstrations. ! Review the walkthrough code files in the <install folder>\Democode\Mod07. ! Complete the lab. Presentation: 120 Minutes Lab: 60 Minutes iv Module 7: Securing Web Services Demonstration This section provides demonstration procedures that will not fit in the margin notes or are not appropriate for the student notes. Using Basic Authentication ! To view the HelloWorld Web Service 1. In Visual Studio .NET, open the file <install folder>\Democode\Mod07\HelloWorld\Hello.cs. 2. Point out that there is no authentication code in the Web Service. 3. Open <install folder>\Democode\Mod07\HelloWorld\Web.config. 4. Point out that the authentication mode is set to Windows. ! To view the HelloClient application 1. In Visual Studio .NET, open the file <install folder>\Democode\Mod07\HelloClient\HelloClient.cs. 2. Explain the code. 3. Run the application <install folder>Democode\Mod07\HelloClient\HelloClient.exe. ! To modify the security settings for the Web Service 1. Open the Internet Service Manager application from the Start menu. 2. Right-click the Helloworld virtual directory and select Properties. 3. In IIS configuration, set the Authentication Method to Basic authentication. Clear all other check boxes. ! To test the built in authentication 1. Run HelloClient.exe. 2. Enter the administrator password Course_2524. The text Hello World is displayed on the console. 3. Run HelloClient.exe again. 4. Enter an invalid administrator password. An error message is displayed on the console. Module 7: Securing Web Services v Module Strategy Use the following strategy to present this module: ! Overview of Security Ensure that students understand the difference between authentication and authorization. Also, explain why encryption might be necessary even with authenticated clients. Explain that the .NET Framework can assist with authorization and authentication. Explain the limitations of using Windows authentication and the IIS supported authentication mechanisms. ! Built-In Authentication Explain the authentication support built into the Windows operating system and IIS. Explain the scenarios where Windows authentication is appropriate and where it is inappropriate for Web Services. ! Custom Authentication: SOAP Headers Explain how SOAP headers can be used to send authentication information to a Web Service. Explain the mechanics of using SOAP headers. Be sure to explain how SOAP headers can be used to communicate information from a client to a Web Service or from Web Service to client. Also, point out that you can make a SOAP header optional or not required for a Web Service method. ! Authorization: Role-Based Security In this module you will explain how to implement a custom role-based authorization mechanism. You need to explain why Windows discretionary access control list (DACL) based authorization is often not appropriate in Web Service scenarios. Focus on how GenericPrincipal and GenericIdentity objects can be used to implement custom authorization mechanism and how this would be useful in the context of Web Services. ! Authorization: Code Access Security Explain why code access security is required and how it can be used in the context of Web Services. Ensure that you explain how permissions are verified at load time and run time. Emphasize how the deployment environment for a Web Service can affect the permissions granted to it. ! Encryption Explain why encryption of the communication between a Web Service and a consumer of the Web Service might be necessary. Briefly discuss Secure Socket Layer (SSL), describing the performance impact. Explain how to use SOAP extensions to encrypt various parts of a SOAP message. In this context, explain the changes that need to be made to the Web Service proxy. Emphasize that because the proxies are generated, any editing of the proxy class will be lost if the class is regenerated. Module 7: Securing Web Services 1 Overview ! Overview of Security ! Built-In Authentication ! Custom Authentication: SOAP Headers ! Authorization: Role-Based Security ! Authorization: Code Access Security ! Encryption ***************************** ILLEGAL FOR NON - TRAINER USE ****************************** Just like any Web-based application, Web Services must be made secure from accidental or deliberate misuse. There are three aspects of security that we must address in the context of Web Service-authentication, authorization, and secure communication. To adequately secure a Web Service you must understand how the Microsoft ® Windows ® operating system and Microsoft Internet Information Services (IIS) can be used to authenticate Web Service consumers, how the Microsoft .NET Framework and common language runtime can assist in the task of authorization, and techniques for securing the messages exchanged between the Web Service and a consumer by encrypting all or part of the messages. After completing this module, you will be able to: ! Identify the differences between authentication and authorization. ! Explain how to use the security mechanisms provided by IIS and Windows for authentication. ! Use SOAP headers for authentication in a Web Service. ! Use role-based security and code access security for authorization in a Web Service. ! Encrypt the communication between a Web Service consumer and a Web Service. Topic Objective To provide an overview of the module topics and objectives. Lead-in Just like any Web-based application, Web Services must be made secure from accidental or deliberate misuse. 2 Module 7: Securing Web Services " "" " Overview of Security ! Authentication vs. Authorization ! Types of Authentication ! Types of Authorization ! Methods of Encryption ***************************** ILLEGAL FOR NON - TRAINER USE ****************************** Before looking at how to implement authentication, authorization, and encryption in a Web Service, you must understand some of the concepts and terminology related to security. Also, you will look at some of the options that are available for providing authentication, authorization, and encryption in ASP.NET Web Service applications. Topic Objective To introduce the topics in this section. Lead-in Before looking at how to implement authentication, authorization, and encryption in a Web Service, you must understand some of the concepts and terminology related to security. Delivery Tip This section is intended to be an overview only. Do not get into an extended discussion of any of the topics at this point. Module 7: Securing Web Services 3 Authentication vs. Authorization ! Authentication # Process of finding and verifying the identity of a user # Performed against an authentication authority ! Authorization # Process of determining if a user’s request to perform some action is allowed to proceed # Occurs after authentication # Based on user’s identity ***************************** ILLEGAL FOR NON - TRAINER USE ****************************** Before you can secure a Web Service, you must understand the differences between authentication and authorization. Authentication Authentication is the process of discovering and verifying the identity of a user by examining the user’s credentials and then validating those credentials against some authority. A variety of authentication mechanisms are used in applications today, and some of these mechanisms can also be used with the .NET Framework role-based security. Examples of commonly used mechanisms include the operating system authentication mechanisms, Microsoft Passport, and application-defined mechanisms. Specific examples of operating system authentication mechanisms are NTLM and Kerberos version 5 authentications. Authorization Authorization is the process of determining whether a user is allowed to perform a requested action. Authorization occurs after authentication and uses information about a user’s identity and roles to determine the resources that a user can access. You can use .NET Framework role-based security to implement authorization. Topic Objective To explain the differences between authentication and authorization. Lead-in Before you can secure a Web Service, you must understand the differences between authentication and authorization. 4 Module 7: Securing Web Services Types of Authentication ! IIS Authentication ! ASP.NET Authentication ! Custom SOAP Header Authentication ***************************** ILLEGAL FOR NON - TRAINER USE ****************************** The first step in implementing security in any application is to authenticate users. Implementing a robust authentication mechanism is not easy, and if possible you should make use of the authentication services provided by the platform. In this case, the platform you are looking at consists of the Windows operating system, IIS, and the .NET Framework and common language runtime. IIS Authentication IIS offers the following three mechanisms for authentication: ! Basic authentication ! Digest authentication ! Integrated Windows authentication You will learn the details of these authentication mechanisms and how to use them to secure a Web Service later in this module. ASP.NET Authentication ASP.NET supports two new authentication mechanisms, which were not supported by ASP: ! Forms authentication ! Passport authentication Topic Objective To introduce the authentication mechanisms available for a Web Service. Lead-in The first step in implementing security in any application is to authenticate users. [...]... authentication types in the Web. config file for your Web Service, as shown in the following code: 24 Module 7: Securing Web Services Using a SOAP Header in a Web Service Consumer Topic Objective To explain how to populate a SOAP header in a Web Service consumer ! SOAP Headers in WSDL Lead-in ! Web Service Proxies... and Web server computers are in the same domain, and where administrators can ensure that all clients will be compliant 16 Module 7: Securing Web Services Using IIS Authentication on a Web Server Topic Objective To explain how to use IIS authentication on a Web server that hosts a Web Service Lead-in To use IIS authentication to secure an ASP.NET Web Service, you must configure IIS as well as the Web. .. headers are a convenient way to accomplish this task A Web Service consumer can add user credentials to the SOAP header The Web Service can then retrieve this information to perform custom authentication 5 6 Module 7: Securing Web Services Types of Authorization Topic Objective To introduce the authorization mechanisms that can be used in ASP.NET Web Services ! ! Code Access Security ! The ASP.NET environment,... information in the SOAP header 22 Module 7: Securing Web Services Using a SOAP Header in a Web Service Topic Objective To explain how to define and use SOAP headers in a Web Service Derive a class from SoapHeader Lead-in Add a Public Field of the SoapHeader-derived type Let us look at how you can define a SOAP header for a Web Service and use that header in the Web Service method Apply the SoapHeader... Distribution Center (KDC) and be Directory Services compatible For more information about the Kerberos protocol, see the Windows 2000 documentation Module 7: Securing Web Services 15 Limitations Although integrated Windows authentication is secure, it has its limitations too ! Not all Web Service clients support integrated Windows authentication However, Web Service consumers using SoapHttpClientProtocol-derived... security credentials for Web Service client authentication To use the Credentials property, a Web Service client must create an instance of a class implementing the ICredentials interface, such as the NetworkCredential class Then the client must set credentials that are specific to the authentication mechanism before making a call to a Web Service method 18 Module 7: Securing Web Services Delivery Tip... = credentials; try { //Invoke the web service method string s = service.HelloWorld(); Console.Write(s); } catch (System.Net.WebException exception) { Console.Write("HelloService HelloWorld() ! failed: {0}",exception.Message); } } } } Module 7: Securing Web Services 19 The functionality of the preceding code can be described as follows: ! In line 12, an instance of a Web Service proxy class is created... the Web Service proxy ! In lines 21 through 26, the call to a Web Service method is enclosed in a try block, so that if authentication fails, the System.Net.WebException exception can be caught ! In line 29, the following message is written to the console, if the authentication fails: HelloService HelloWorld() failed: The request failed with HTTP status 401: Access Denied 20 Module 7: Securing Web Services. .. configure IIS and set the correct authentication mode in the Web. config file of an ASP.NET Web Service For a Web Service to authenticate its client, the client must programmatically provide the required user name and password credentials In this section, you will examine Basic, Digest, and Integrated Windows authentication 12 Module 7: Securing Web Services Basic and Digest Authentication Topic Objective... Authentication in IIS When securing a Web Service, you can use any of the built-in IIS authentication mechanisms The following illustration shows the dialog box in the Internet Service Manager from where you can select the authentication mechanism that you want to use: Module 7: Securing Web Services 17 If you select Basic authentication, you must ensure that the accounts that can access a Web Service are granted . Encryption 43 Lab 7: Securing Web Services 51 Review 64 Module 7: Securing Web Services Information in this document, including URL and other Internet Web site. their respective owners. Module 7: Securing Web Services iii Instructor Notes This module teaches students how to use the security services of the Microsoft