web401 security practices for web services (part 2) keith ballinger program manager xml messaging...
TRANSCRIPT
![Page 1: WEB401 Security Practices for Web Services (Part 2) Keith Ballinger Program Manager XML Messaging Microsoft Corporation](https://reader034.vdocuments.us/reader034/viewer/2022051415/56649cc95503460f94991332/html5/thumbnails/1.jpg)
WEB401
Security Practices for Web Services (Part 2)
Keith BallingerProgram ManagerXML MessagingMicrosoft Corporation
![Page 2: WEB401 Security Practices for Web Services (Part 2) Keith Ballinger Program Manager XML Messaging Microsoft Corporation](https://reader034.vdocuments.us/reader034/viewer/2022051415/56649cc95503460f94991332/html5/thumbnails/2.jpg)
Agenda
Trusting clients and servicesEnabling a manageable B2B infrastructure
Creating a security contextFaster security performance
Authoring security policyRemoving the need for writing a lot of security code
![Page 3: WEB401 Security Practices for Web Services (Part 2) Keith Ballinger Program Manager XML Messaging Microsoft Corporation](https://reader034.vdocuments.us/reader034/viewer/2022051415/56649cc95503460f94991332/html5/thumbnails/3.jpg)
Trust
Relationships and identityHow do I prove who I am?
Who can vouch for me?
How do you know you can trust him?
These questions are answered with signed security tokens
WS-Trust defines a protocol for issuing and obtaining security tokens
![Page 4: WEB401 Security Practices for Web Services (Part 2) Keith Ballinger Program Manager XML Messaging Microsoft Corporation](https://reader034.vdocuments.us/reader034/viewer/2022051415/56649cc95503460f94991332/html5/thumbnails/4.jpg)
Trust
Several models for issuing tokens
Client obtains token
Service obtains token for client
Etc…
Client
Token Issuer
Service
Client Service
TokenIssuer 2
TokenIssuer 1
Client
TokenIssuer
Service
![Page 5: WEB401 Security Practices for Web Services (Part 2) Keith Ballinger Program Manager XML Messaging Microsoft Corporation](https://reader034.vdocuments.us/reader034/viewer/2022051415/56649cc95503460f94991332/html5/thumbnails/5.jpg)
Trust
Requesting a security token (RST)<RequestSecurityToken>
<TokenType>...</TokenType> </RequestSecurityToken>
Issuing a security token (RSTR)<RequestSecurityTokenResponse>
<TokenType /> <wsp:AppliesTo />
<RequestedSecurityToken/> <RequestedProofToken /> </RequestSecurityTokenResponse>
![Page 6: WEB401 Security Practices for Web Services (Part 2) Keith Ballinger Program Manager XML Messaging Microsoft Corporation](https://reader034.vdocuments.us/reader034/viewer/2022051415/56649cc95503460f94991332/html5/thumbnails/6.jpg)
Trust
RST is usually signed with a token the token issuer trusts
RSTR issues new tokenProof of possession token can also returned
This token includes a key that the requestor can use to prove he’s allowed to use the issued token
![Page 7: WEB401 Security Practices for Web Services (Part 2) Keith Ballinger Program Manager XML Messaging Microsoft Corporation](https://reader034.vdocuments.us/reader034/viewer/2022051415/56649cc95503460f94991332/html5/thumbnails/7.jpg)
Issuing a custom Issuing a custom XML-based security XML-based security tokentoken
demodemo
![Page 8: WEB401 Security Practices for Web Services (Part 2) Keith Ballinger Program Manager XML Messaging Microsoft Corporation](https://reader034.vdocuments.us/reader034/viewer/2022051415/56649cc95503460f94991332/html5/thumbnails/8.jpg)
Secure conversation
Token issuing can also occur between two parties
Client
ServiceAnd
TokenIssuer
Typically, this is done to create higher performance security processing
WS-SecureConversation is an example
![Page 9: WEB401 Security Practices for Web Services (Part 2) Keith Ballinger Program Manager XML Messaging Microsoft Corporation](https://reader034.vdocuments.us/reader034/viewer/2022051415/56649cc95503460f94991332/html5/thumbnails/9.jpg)
Secure conversation
WS-SecureConversation details how to issue a SecurityContextToken
In WSE, this lightweight token takes the place of a more processing intensive token
Client
ServiceAnd
TokenIssuer
Request for SCTRequest for SCT
SCT Issued to clientSCT Issued to client
Series of messages Series of messages
signed with issued SCTsigned with issued SCT
![Page 10: WEB401 Security Practices for Web Services (Part 2) Keith Ballinger Program Manager XML Messaging Microsoft Corporation](https://reader034.vdocuments.us/reader034/viewer/2022051415/56649cc95503460f94991332/html5/thumbnails/10.jpg)
Building a Secure Building a Secure Conversation with Conversation with WSEWSE
demodemo
![Page 11: WEB401 Security Practices for Web Services (Part 2) Keith Ballinger Program Manager XML Messaging Microsoft Corporation](https://reader034.vdocuments.us/reader034/viewer/2022051415/56649cc95503460f94991332/html5/thumbnails/11.jpg)
Policy
Beyond what WSDL provides, what else is needed to describe a Web service?
Security requirements
Reliable messaging assurances
Protocol versioning
Etc…
These other attributes of a service can be described with WS-Policy
XML-base language
Complex: <Or>, <ExactlyOne>, etc…
![Page 12: WEB401 Security Practices for Web Services (Part 2) Keith Ballinger Program Manager XML Messaging Microsoft Corporation](https://reader034.vdocuments.us/reader034/viewer/2022051415/56649cc95503460f94991332/html5/thumbnails/12.jpg)
Policy
<wsp:Policy
wsu:Id="message-age">
<wsse:MessageAge wsp:Usage="wsp:Required" Age="5“
/>
</wsp:Policy>
![Page 13: WEB401 Security Practices for Web Services (Part 2) Keith Ballinger Program Manager XML Messaging Microsoft Corporation](https://reader034.vdocuments.us/reader034/viewer/2022051415/56649cc95503460f94991332/html5/thumbnails/13.jpg)
Security policy
WS-SecurityPolicy specifies the assertions for expressing requirements related to WS-Security
<Integrity>
<Confidentiality>
<SecurityToken>Can be embedded inside the other two
![Page 14: WEB401 Security Practices for Web Services (Part 2) Keith Ballinger Program Manager XML Messaging Microsoft Corporation](https://reader034.vdocuments.us/reader034/viewer/2022051415/56649cc95503460f94991332/html5/thumbnails/14.jpg)
Security Policy
<wsp:Policy wsu:Id="signed-body-x509"> <wsse:Integrity wsp:Usage="wsp:Required" > <TokenInfo> <SecurityToken> <TokenType>X509v3</TokenType> </SecurityToken> </TokenInfo> <MessageParts
Dialect="http://schemas.xmlsoap.org/2002/12/wsse#part"> wsp:Body() </MessageParts> </Integrity> </wsp:Policy>
![Page 15: WEB401 Security Practices for Web Services (Part 2) Keith Ballinger Program Manager XML Messaging Microsoft Corporation](https://reader034.vdocuments.us/reader034/viewer/2022051415/56649cc95503460f94991332/html5/thumbnails/15.jpg)
Role-based security
IPrincipal is the .NET interface for role-based authoriztion
bool IsInRole(String str)
SecurityToken.PrincipalImplementation of IPrincipal
Automatically set for UsernameToken and KerberosSecurityToken
Call method explicitly or use Policy<wse:Role value=“role” />
![Page 16: WEB401 Security Practices for Web Services (Part 2) Keith Ballinger Program Manager XML Messaging Microsoft Corporation](https://reader034.vdocuments.us/reader034/viewer/2022051415/56649cc95503460f94991332/html5/thumbnails/16.jpg)
Role-Based Role-Based Authorization using Authorization using Security PolicySecurity Policy
demodemo
![Page 17: WEB401 Security Practices for Web Services (Part 2) Keith Ballinger Program Manager XML Messaging Microsoft Corporation](https://reader034.vdocuments.us/reader034/viewer/2022051415/56649cc95503460f94991332/html5/thumbnails/17.jpg)
Suggested Reading And Resources
The tools you need to put technology to work!The tools you need to put technology to work!
TITLETITLE AvailableAvailable
Writing Secure Code, Second Writing Secure Code, Second Edition:0-7356-1722-8Edition:0-7356-1722-8 TodayToday
Microsoft Press books are 20% off at the TechEd Bookstore
Also buy any TWO Microsoft Press books and get a FREE T-Shirt
![Page 18: WEB401 Security Practices for Web Services (Part 2) Keith Ballinger Program Manager XML Messaging Microsoft Corporation](https://reader034.vdocuments.us/reader034/viewer/2022051415/56649cc95503460f94991332/html5/thumbnails/18.jpg)
Community Resources
Community Resourceshttp://www.microsoft.com/communities/default.mspx
Most Valuable Professional (MVP)http://www.mvp.support.microsoft.com/
NewsgroupsConverse online with Microsoft Newsgroups, including Worldwidehttp://www.microsoft.com/communities/newsgroups/default.mspx
User GroupsMeet and learn with your peershttp://www.microsoft.com/communities/usergroups/default.mspx
![Page 19: WEB401 Security Practices for Web Services (Part 2) Keith Ballinger Program Manager XML Messaging Microsoft Corporation](https://reader034.vdocuments.us/reader034/viewer/2022051415/56649cc95503460f94991332/html5/thumbnails/19.jpg)
evaluationsevaluations
![Page 20: WEB401 Security Practices for Web Services (Part 2) Keith Ballinger Program Manager XML Messaging Microsoft Corporation](https://reader034.vdocuments.us/reader034/viewer/2022051415/56649cc95503460f94991332/html5/thumbnails/20.jpg)
© 2003 Microsoft Corporation. All rights reserved.© 2003 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.This presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.