Re: web service architecture question
From: Jeffrey Hasan (jeff_at_noreply.com)
Date: 08/12/04
- Next message: Jeffrey Hasan: "Re: Is the Service name TYPE mandatory in WS-BP1.0"
- Previous message: Jeffrey Hasan: "Re: Passing Inherited types to a web service method"
- In reply to: Jon Paugh: "web service architecture question"
- Next in thread: Paul Glavich [MVP - ASP.NET]: "Re: web service architecture question"
- Messages sorted by: [ date ] [ thread ]
Date: Thu, 12 Aug 2004 16:44:10 -0700
Jon,
This level of work is unnecessary for several reasons, because today we have
more options for securing code than we used to. With Code Access Security
there is a lot that you can do to lockdown code. In addition, why not focus
on securing the service interface? Take a look at the Web Services
Enhancements 2.0. It implements WS-Security, which gives you the benefits of
digital signatures and encryption on the Web service requests and responses.
It supports a variety of tokens so you can completely restrict who has
access to your service interface. Clearly, if your application code is so
sensitive, then I am assuming that you are equally concerned about who is
making service requests.
Jeffrey Hasan, MCSD
President, Bluestone Partners, Inc.
-----------------------------------------------
Author of: Expert SOA in C# Using WSE 2.0 (APress, 2004)
http://www.bluestonepartners.com/soa.aspx
"Jon Paugh" <anonymous@discussions.microsoft.com> wrote in message
news:374401c47eee$a5cda310$a501280a@phx.gbl...
> Hi All,
>
> Our customer wants us architecturally to have two
> physical servers - a web server box and an application
> server box. The web server will be exposed outside the
> firewall whereas the application server will only be
> accessible by the web server. Our web server will never
> access the database directly. Our web server will always
> go thru our application server to access the database.
> Our web server will use .NET remoting or web services to
> access the application server. So the benefit of these
> seperate servers is supposed to be added security - the
> application tier is behind a second firewall and more
> secure than the web server. We have a physical seperate
> between our GUI and application logic as well.
>
> So, the questions are:
>
> 1) This looks like a lot of work for us. Right now we
> have a web server that performs application logic and
> directly accesses the database. Is there any way to
> increase the security of our web server without
> seperating out to a seperate web server and application
> server? The security benefit is the only thing I see so
> far...
> 2) If we do seperate into a seperate application server
> and web server, should the web server use .NET remoting
> or web services to access the application server?
> 3) If we go with web services to access the application
> server, what types should we use in the web service
> proxy - the types generated by the proxy, or should we
> change the generated proxy to use the actual types from
> our application...? ( This types question is the worst
> issue to me. We are using an ORM tool so we have pretty
> complex business objects and returning them thru
> serialization to our GUI would be a pain).
>
> Thanks,
>
> Jon Paugh
- Next message: Jeffrey Hasan: "Re: Is the Service name TYPE mandatory in WS-BP1.0"
- Previous message: Jeffrey Hasan: "Re: Passing Inherited types to a web service method"
- In reply to: Jon Paugh: "web service architecture question"
- Next in thread: Paul Glavich [MVP - ASP.NET]: "Re: web service architecture question"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
