XML Web Service Security

web|xml| Security | Security when we talk about XML Web Service, the problem that people are most concerned about is its security.

　　is the XML Web Service secure?

Given the many aspects of security, such as authentication and authorization, data privacy and integrity, and the fact that security is not mentioned in the SOAP specification, it is not difficult to understand why people think the answer is negative. But, please don't underestimate Microsoft? XML Web Service. There are a number of steps you can take today to create a secure XML Web Service.

To address security issues with XML Web Service, we need to consider the following issues:

What is the purpose to be achieved? -Allow only authorized users to access the XML Web Service and prohibit unauthorized viewing of messages, etc.
How to achieve the desired effect? -Network, Transport layer, OS, service, or application.

What level of interoperability is required in the solution? -Local or global.

So how do we make sure that today's XML Web Service is secure? The answer is: answer these questions first, and then apply the same techniques that you used to protect any other WEB application, namely:

　　Protect connection Security

Authentication and authorization of interactive operations

As you will see below, these technologies offer a variety of options that you can combine to achieve additional results. For example, firewalls can be used with XML Web Service to restrict access to certain features (methods) based on the identity of the client and the corresponding rules established for them.

Let's take a look at the various options to protect the existing infrastructure and understand their capabilities.

　　Securing Your Infrastructure

The core of a secure XML Web Service is the security infrastructure. Microsoft offers a wide range of technologies that, if combined with the overall security protection plan, can effectively protect the security of their IT structures. The planning processes that are properly implemented include:

Learn more about potential environmental hazards (such as viruses, hackers, and natural disasters).

The consequences of risk-related security vulnerabilities are analyzed in advance and countermeasures are formulated.

Based on this understanding and analysis, a well-planned implementation strategy is created to apply the security protection measures to all aspects of the enterprise network.

　　Protect connection Security

One of the easiest ways to secure an XML Web service is to ensure that the connection between the XML Web service client and the server is secure. Depending on the scope of the network and the activity profile of the interaction, we can achieve this through a variety of technologies. The most popular and widely used three technologies are: Firewall based rules, Secure Sockets Layer (SSL), and Virtual private network (VPN).

If you know exactly which computers need access to your XML Web Service, you can use firewall rules to restrict access to computers that are known to have IP addresses. This technique is useful if you need to restrict access to a computer in a private network, such as a company's Lan/wan, and you do not have to worry about keeping message content secret (encrypted). Firewalls, such as Microsoft Internet Security and Acceleration [ISA] Server, can provide advanced policy-based rules that can provide different limits to different clients depending on the original location or identity of the client. This technique is useful when different clients access different functions (methods) on the same XML Web Service.

Secure Sockets Layer can be used to establish secure connections on unmanaged networks, such as the Internet. SSL can encrypt and decrypt messages sent between the client and the server. By encrypting the data, you can prevent the message from being read during the transfer process. SSL encrypts the client's message first and then transmits it to the server. After the server receives the message, SSL decrypts it and verifies that the message came from the correct sender (this process is called authentication). The server or client and server may have certificates that are used as part of the authentication process to provide authentication at the top level of the connection encryption. Although SSL is a very effective way to create secure communications, you should consider its performance costs. The Microsoft XML Web Service supports both integrated SSL in the client and integrated SSL in the server.

A virtual private network is an extension of a private network that can connect to a shared network or a public network (such as the Internet). VPNs allow you to send data between two securely connected computers. VPNs are similar to SSL, but VPNs are a long-term point-to-point connection. This enables the VPN to be applied efficiently and securely to the XML Web Service, but requires a long-term connection and remains operational to achieve this effect.

　　Authentication and authorization

Authentication: Authentication is the process of verifying identities by verifying that someone (or something) is consistent with the person (or objects) it claims to be. The person or thing is called the "party". Authentication requires evidence, known as "credentials." For example, a client application can use a password as a credential. If the client application provides the correct credentials, it is considered consistent with the alleged person or object.

Authorization: After the identity of the party has been authenticated, authorization can be made. The server determines access rights by examining certain access control information, such as access control list [ACLs], about the parties concerned. The client may have different access levels. For example, some clients have full access to the XML Web Service, while others can access only certain operations. Some clients have full access to all data, and some clients can access only a subset of the data, while some clients can only have read-only access.

A simple and straightforward way to implement authentication in an XML Web Service is to take advantage of the authentication capabilities of the protocols used by the information interchange. For most XML Web Service, this means taking advantage of the HTTP authentication feature. The use of Microsoft Internet Information Server (IIS) and ISA server with Windows 2000 servers provides integrated support for multiple authentication mechanisms for HTTP.

Basic authentication-uses a client's unsecured or semi secure identity because the user name and password are sent in Base64 encoded text, and the text is easily decoded. If the credentials match a valid user account, IIS gives the client access to the XML Web Service.
Basic Authentication on SSL-the same as basic authentication, except that the communication channel is encrypted to protect the user name and password. This is a good choice for Internet scenarios, but using SSL can have a significant impact on performance.

Digest Authentication-uses hashing to transmit client credentials in a secure manner. However, this approach may not be widely supported by developer tools for building XML Web Service clients. If the credentials match a valid user account, IIS gives the client access to the XML Web Service.

Integrated Windows authentication-primarily for Intranet scenarios. Use NTLM or Kerberos. The client must belong to the same domain as the server or to a managed domain of the server domain. If the credentials match a valid user account, IIS gives the client access to the XML Web Service.

Client certificates on SSL-requires each client to obtain a certificate. The certificates are mapped to user accounts, which IIS will use to authorize access to the XML Web Service. Although digital certificates are not widely available today, this is still a viable option for Internet scenarios. This approach may not be widely supported by developer tools for building XML Web Service clients. This method can only be used through SSL connections, so performance can be a concern.

From the perspective of an XML Web service performer, using either of these authentication mechanisms has the advantage of not having to make code changes in an XML Web service, because before the XML Web service is invoked, the Iis/isa service The service will perform all authentication and ACL authorization checks. However, some other work needs to be done when the client is executed. The client application needs to respond to the server's authentication credentials request.

Other ways to authenticate in an XML Web service include using a Third-party service (such as a service in Microsoft. NET Passport), using the Microsoft ASP.net session feature, or creating a custom authentication method.

　　Next: Interoperability

You may find that today, standard technologies for Web application security can be used or combined to create secure XML Web Service. These technologies are based on a wealth of experience and are very effective. However, they do not provide an integrated solution in the XML Web Service architecture. As XML Web service scenarios become increasingly complex (for example, across managed boundaries and in multiple systems or enterprises), XML Web service implementations need to create a custom solution that is effective but does not provide universal interoperability.

To meet these needs and enhance interoperability of XML Web Service, Microsoft and its partners are developing a set of security specifications. This specification is built on the extensibility mechanism of the SOAP specification and provides enhanced security features that are integrated into the XML Web Service architecture.

The core of this set of security specifications is the XML Web Service Security Language (ws-security), which provides three enhancements to SOAP messages: Credential routing, message integration, and message confidentiality. These capabilities do not themselves provide a complete security solution, but Ws-security is a building block that can be used in conjunction with infrastructure and other XML Web Service protocols to meet the security requirements of various applications. The Microsoft Global XML Web Service architecture is the primary content of ws-security and related specifications, providing a framework for the development of an XML Web service infrastructure.