XML Web Service Security

XML Web Service Security

Source: Skynet

Is XML Web Service secure?

Since security involves many aspects (such as identity authentication and authorization, data privacy and integrity), and security is not mentioned in the SOAP specification, it is not difficult to understand why people think the answer is no. However, do not underestimate Microsoft? XML Web Service. Today, you can take many measures to create a secure XML Web Service.

To solve the security problem of XML Web Service, we need to consider the following issues:

What is the purpose? -Only allow authorized users to access the XML Web Service; prohibit others from viewing messages without authorization.
How to achieve the expected results? -Network, transmission layer, OS, service, or application.

What level of interoperability is required in the solution? -Local or global.

So, how can we ensure the security of today's XML Web Service? The answer is: first answer the above questions, and then the application protects any other web applications.ProgramThe same technology used, namely:

Secure Connection

Identity authentication and authorization for interactive operations

As you will learn below, these technologies provide a variety of options that you can combine to achieve additional results. For example, you can use the firewall with the XML Web Service to restrict access to certain functions (methods) based on the client identity and the corresponding rules they have created.

Let's review the various options to protect the existing infrastructure and understand their functions.

Protect infrastructure security

The core of a secure XML Web Service is the security infrastructure. Microsoft provides a wide range of technologies that can be combined with the overall security protection plan to effectively protect the security of its IT structure. The correct planning process includes:

Learn more about potential environmental risks (such as viruses, hackers, and natural disasters ).

Analyzes the consequences of security vulnerabilities related to risks in advance and develops countermeasures.

Based on this understanding and analysis, a well-planned implementation policy is created to apply security protection measures to all aspects of the enterprise network.

Secure Connection

One of the simplest ways to protect XML Web Service security is to ensure the connection security between the XML Web Service client and the server. Based on the scope of the network and the activity configuration file for interactive operations, we can achieve this through a variety of technologies. The three most popular and widely used technologies are firewall-based rules, Secure Socket Layer (SSL), and virtual private network (VPN ).

If you know exactly which computers need to access your XML Web Service, you can use firewall rules to restrict access to computers with known IP addresses. This technology is useful if you need to restrict access to computers in a private network (such as a company's LAN/WAN) and do not worry about keeping the message content confidential. Firewalls (such as Microsoft Internet Security and Acceleration [ISA] server) provide advanced policy-based rules that can be identified based on the original location of the client, different clients have different restrictions. This technique is useful when different clients access different functions (methods) on the same XML Web Service.

The Secure Sockets Layer can be used to establish secure connections on an unmanaged network (such as the Internet. SSL can encrypt and decrypt messages sent between the client and the server. By encrypting data, you can prevent messages from being read during transmission. SSL encrypts the client message and sends it to the server. After the server receives a message, SSL decrypts it and verifies that the message comes from the correct sender (this process is called authentication ). Servers, clients, and servers may have certificates that are used as part of the authentication process to provide authentication at the top layer of connection encryption. Although SSL is a very effective method for creating secure communication, the performance cost should be considered. Microsoft XML Web Service supports both SSL integration in the client and SSL integration in the server.

A Virtual Private Network is an extension of a private network. It can connect to a shared network or a public network (such as the Internet ). VPN allows you to send data between two computers with secure connection. VPN is similar to SSL, but VPN is a long-term point-to-point connection. This allows VPN to be effectively and securely applied to XML Web Services, but requires long-term connection and operation.

Authentication and authorization

Identity Verification: identity verification is the process of identity verification, that is, to verify whether someone (or something) is consistent with the person (or thing) it claims. This person or thing is called the "creator ". Authentication requires evidence, which is called "creden ". For example, a client application can use a password as a credential. If the client application provides the correct creden。, it is deemed to be consistent with the claimed person or thing.

Authorization: after verifying the identity of the creator, the authorization can be performed. The server determines the access permission by checking some access control information (such as the access control list [ACL]) of the attacker. The client may have different access levels. For example, some clients can completely access the XML Web Service, while others can only access some operations. Some clients can completely access all data, some clients can only access a subset of data, and some clients can only perform read-only access.

One simple and direct way to implement authentication in XML Web Service is to use the authentication function of the protocol used by information exchange. For most XML Web Services, this means that HTTP authentication is used. Using Microsoft Internet Information Server (IIS) and ISA Server in combination with Windows 2000 Server can provide integrated support for multiple authentication mechanisms for HTTP.

Basic Authentication-uses the non-secure or semi-secure identification of the client, because the user name and password are sent in base64 encoded text, and the text is easy to decode. If the creden match a valid user account, IIS grants the client the permission to access the XML Web Service.
Basic Authentication on SSL-similar to basic authentication, the only difference is that the communication channel is encrypted to protect the user name and password. This is a good choice for Internet solutions, but using SSL will have a great impact on performance.

Brief Authentication-use hashes to securely transmit client creden. However, this method may not be widely supported by the developer tools used to build the XML Web Service client. If the creden match a valid user account, IIS grants the client the permission to access the XML Web Service.

Integrated Windows Authentication-mainly used for Intranet solutions. Use NTLM or Kerberos. The client must belong to the domain of the server or the hosting domain of the server domain. If the creden match a valid user account, IIS grants the client the permission to access the XML Web Service.

Client certificate on SSL-each client is required to obtain a certificate. Certificates are mapped to user accounts. IIS uses these certificates to authorize access to the XML Web Service. Although digital certificates are not widely used yet, they are still a viable option for Internet solutions. This method may not be widely supported by developers who build XML Web Service clients. This method can only be used through SSL connections, so performance may be a problem to consider.

From the XML Web Service Implementer's point of view, using any of the above authentication mechanisms has a benefit, that is, you do not need to performCodeChange because the IIS/ISA Server performs all authentication and ACL authorization checks before calling the XML Web Service. However, when executing the client, you still need to do some other work. The client application must respond to the server's authentication credential request.

Other methods for authentication in XML Web Service include using third-party services (such as Microsoft? . NET Passport Service), use the Microsoft ASP. NET session function, or create a custom authentication method.

Next step: interoperability

You may find that today, standard technologies for Web Application Security protection can be used independently or in combination to build secure XML Web Services. These technologies are based on rich experience and are very effective. However, they do not provide integration solutions in the XML Web Service Architecture. As XML Web Service solutions become increasingly complex (for example, cross-hosted boundaries and distributed across multiple systems or enterprises ), XML Web Service implementers need to create valid custom solutions that do not provide universal interoperability.

To meet these needs and enhance XML Web Service interoperability, Microsoft and its partners are developing a set of security specifications. This specification is built on the scalability mechanism of the soap specification and provides enhanced security protection functions integrated into the XML Web Service structure.

the core of this security specification is the XML Web Service Security Language (WS-Security). It provides three enhanced functions for soap messages: credential transfer, message integration, and message confidentiality. These functions cannot provide complete security protection solutions. However, WS-Security is a building block that can be used in combination with the infrastructure and other XML Web Service protocols, to meet the security protection requirements of various applications. The Microsoft global XML Web Service Architecture is the main content of WS-Security and relevant specifications. It provides a framework for the development of the XML Web service infrastructure.