Building Secure XML Web Service series (i)

web|xml| Security

XML Web service from the birth of the day said that they are not good, but also said that the Internet will also enter a new era, but for more than 5 years, the XML Web service has not been the same as the original propaganda, although in some areas, there are some his experiment, But overall, the service has not been widely used, for many reasons, some from the current manufacturers insist on their own service standards, can not form a unified, but also to the existing stability system is unwilling to change the reasons, but also include the reasons for the Web service itself, The most obvious should be two: 1 security, 2 performance. Graduation design, writing is the development and application of High-performance Web service, below, I would like to use a few articles to illustrate the security of XML Web service several solutions. Welcome prawns to smash.

How to solve the security problem of network services, I mainly from the following two levels of analysis:

　　1 ensure the legal identity of the caller-the legal source of the guarantee

　　2 in the transmission is not illegal monitoring and tampering.

Of course, there will be other security risks, I hope we can make a lot of suggestions, I can further summarize.

If you want to get a grip on the techniques mentioned in this article, you have to understand how XML Web service works and develop and deploy or use XML Web service yourself, but you don't believe that the XML Web service you deploy is secure.

This section first describes one of the simplest solutions to ensure that callers are legitimate-attach a username and password to the head of the SOAP message and authenticate the user name password on the server side. This approach addresses the problem that the original network service cannot respond to a particular object. But because still in clear text format

Transmission, so it is not effective to prevent information from being peeping, tampered with or falsified during transmission.

If you've used this method before, skip this article, and I'll talk about other ways in the next article, more reasonable solutions, and welcome your continued attention.

Here are the steps to implement this solution, and take a step at a step

　　First step: First you need to create a service project for the XML Web service, creating the following

Open Visual Studio 2005, click Create Project on the Start page, select the ASP.net Web Service application in Visual C #, and enter the project name

　　Step Two: Create an extended SoapHeader object Mysoapheader in this project, as follows

Using System;
Using System.Data;
Using System.Configuration;
Using System.Web;
Using System.Web.Security;
Using System.Web.UI;
Using System.Web.UI.WebControls;
Using System.Web.UI.WebControls.WebParts;
Using System.Web.UI.HtmlControls;
Using System.Web.Services.Protocols;

Namespace WebService1
{
public class Mysoapheader:soapheader
{
private string _username;
private string _pwd;
/**////<summary>
User name
</summary>
public string UserName
{
Get
{
return _username;
}
Set
{
_username = value;
}
}
/**////<summary>
Password
</summary>
public string PWD
{
Get
{
return _pwd;
}
Set
{
_pwd = value;
}
}
}
}

　　Step Three: Create an XML Web service, and add a network services method that requires the use of SoapHeader

Using System;
Using System.Data;
Using System.Web;
Using System.Collections;
Using System.Web.Services;
Using System.Web.Services.Protocols;
Using System.ComponentModel;

Namespace WebService1
{
/**////<summary>
Summary description of Service1
</summary>
[WebService (Namespace = "http://tempuri.org/")]
[WebServiceBinding (ConformsTo = wsiprofiles.basicprofile1_1)]
[ToolboxItem (False)]
public class Service1:System.Web.Services.WebService
{
Public Mysoapheader Header = new Mysoapheader ();
[WebMethod]
[SoapHeader ("header")]
public string HelloWorld ()
{
if (header = null)
{
Return "You do not set SoapHeader, not normal access to this service!";
}
if (header. UserName!= "Jillzhang" | | Header. PWD!= "123456")
{
Return "The authentication information you provide is incorrect, you cannot access this service properly!";
}
Return to "Hello World";
}
}
}

　　Step Fourth: Create a console application that invokes the XML Web service, as follows:

Using System;
Using System.Collections.Generic;
Using System.Text;

namespace ConsoleApplication1
{
    class program
     {
      
        static void Main ( string[] args
        {
             localhost. Service1 ws = new ConsoleApplication1.localhost.Service1 ();
           //ws. Mysoapheadervalue = new ConsoleApplication1.localhost.MySoapHeader ();
           //ws. Mysoapheadervalue.username = "Jillzhang";
           //ws. Mysoapheadervalue.pwd = "123456";
            Console.WriteLine (ws. HelloWorld ());
       }
   }
}

　　The following analysis, for everyone, should be the most important, a lot of people do not know how soapheader work, why such a strange way of writing can produce magical effect, below I will be different situations of SOAP message resolution, we carefully observe this information, And can clearly grasp the working principle of soapheader.

First, let's take a look at the case where the SOAP message is not set SoapHeader:

-----SOAP request on May 22, 2007 12:39 40 seconds
<?xml version= "1.0" encoding= "Utf-8" ><soap:envelope xmlns:soap= "http://schemas.xmlsoap.org/soap/" envelope/"xmlns:xsi=" http://www.w3.org/2001/XMLSchema-instance "xmlns:xsd=" Http://www.w3.org/2001/XMLSchema " ><soap:body>

-----SOAP response on May 22, 2007 12:39 40 seconds
<?xml version= "1.0" encoding= "Utf-8" ><soap:envelope xmlns:soap= "http://schemas.xmlsoap.org/soap/" envelope/"xmlns:xsi=" http://www.w3.org/2001/XMLSchema-instance "xmlns:xsd=" Http://www.w3.org/2001/XMLSchema " ><soap:body>

And look at the request and response information for soap after the SoapHeader is set.

-----SOAP request on May 22, 2007 12:42 20 seconds
<?xml version= "1.0" encoding= "Utf-8"? ><soap : Envelope xmlns:soap= "http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi= "http://www.w3.org/2001/ Xmlschema-instance "xmlns:xsd=" Http://www.w3.org/2001/XMLSchema "><soap:header><mysoapheader xmlns=" http://tempuri.org/"><username>jillzhang</username><pwd>123456</pwd></ Mysoapheader></soap:header><soap:body>

-----SOAP response on May 22, 2007 12:42 20 seconds
<?xml version= "1.0" encoding= "Utf-8" ><soap:envelope xmlns:soap= "http://schemas.xmlsoap.org/soap/" envelope/"xmlns:xsi=" http://www.w3.org/2001/XMLSchema-instance "xmlns:xsd=" Http://www.w3.org/2001/XMLSchema " ><soap:body>

Point is precisely through this node, SoapMessage information to the network server, the network service can be resolved from the end, and to deal with, from the above SoapMessage, we also see that the user name and password is in the form of plaintext transmission, so that SoapHeader is more like a cookie in the HTTP protocol, we can refer to the use of cookies to extend the soapheader to make it more secure, but overall it seems that there is a limit to improving security by directly setting the SoapHeader method. This solution is recommended for applications where security is not particularly important because it is quick and easy to use.

In the next section, I'll explain how to get soapmessage.