RE: Best Practise
- From: stcheng@xxxxxxxxxxxxxxxxxxxx (Steven Cheng[MSFT])
- Date: Fri, 04 Nov 2005 03:02:48 GMT
Hi AWHK,
Welcome here.
Regarding on the WebService security model question, here are some of my
understandng and suggestions:
Since you mentioned that your webservice will be exposed to many
heterogenous platform, so of course we can not use windows specific
security mechanism like Integrated windows/ auhentication..... For
common webservice securing, generally we can consider the following two
levels:
1. Transport level security which rely on the platform or WEBServer
support. For example, using SSL/HTTPS to securing our webservice
communication over HTTP. However such security mechanism is rely on the
webserver support( for SSL), also is only appliable for end to end
commucation between client and service server (it won't work well when
there is intermediate proxy... between client/server)/
2. Message Level security , this is the most prefered one from
interoperability perspective. In such scenario, we secure our webservice by
encrypting/signing our SOAP message (so called message level security). And
such securing won't rely on underlying platform or programing interface.
For example, we can put our client authentication credential embeded in
soap headers (encrypted ...) and check them at serverside(decrypted...). We
can also use X509 certificate signing to provide message integrity....
Currently, the microsoft webservcie enhancement provide support for the
latest WS-security specification which provide standard definition for
message level webservice security. As far as I know, some other well-known
vendors like IBM ,BEA has also their own implemntation on this. You can
get some details info from msdn webservice developer center:
http://msdn.microsoft.com/webservices/webservices/building/wse/default.aspx
http://msdn.microsoft.com/webservices/webservices/building/security/default.
aspx
Hope helps. Thanks,
Steven Cheng
Microsoft Online Support
Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)
--------------------
| From: "AWHK" <awhk@xxxxxxxxxxxxxxxx>
| Subject: Best Practise
| Date: Thu, 3 Nov 2005 13:43:25 +0100
| Lines: 9
| X-Priority: 3
| X-MSMail-Priority: Normal
| X-Newsreader: Microsoft Outlook Express 6.00.2900.2670
| X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2670
| X-RFC2646: Format=Flowed; Original
| Message-ID: <e#aVwQH4FHA.3540@xxxxxxxxxxxxxxxxxxxx>
| Newsgroups: microsoft.public.dotnet.framework.aspnet.webservices
| NNTP-Posting-Host: www.kf.no 195.18.146.10
| Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP10.phx.gbl
| Xref: TK2MSFTNGXA01.phx.gbl
microsoft.public.dotnet.framework.aspnet.webservices:8244
| X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet.webservices
|
| I have some web services that will be called from ie. Linux, Machintosh,
| Windows etc. All clients are required to authenitcate. What is the best
| security model to apply in such environment?
|
| andreas.w.h.k. :-)
|
| Note: I'am using .NET 2.0
|
|
|
.
- Follow-Ups:
- Re: Best Practise
- From: AWHK
- Re: Best Practise
- References:
- Best Practise
- From: AWHK
- Best Practise
- Prev by Date: Re: proxy class - xml
- Next by Date: Debugging Cassini (Extracting Hit URL string on Cassini)
- Previous by thread: Re: Best Practise
- Next by thread: Re: Best Practise
- Index(es):
Relevant Pages
|
