.Net and Web Services Security CS795. Web Services A web application Does not have a user interface...
-
Upload
lora-alexander -
Category
Documents
-
view
214 -
download
1
Transcript of .Net and Web Services Security CS795. Web Services A web application Does not have a user interface...
.Net and Web Services Security
CS795
Web Services
• A web application• Does not have a user interface (as a traditional
web application); instead, it exposes a callable API, web methods, over the Internet
• Intended to serve other applications• It runs on a web server; listens for HTTP
requests for the methods• The requests are transmitted from client to
server in SOAP format. The results are sent back the same way (Simple Object Access Protocol)
XML Web Service - Foundations
• WSDL---Web Services Description Language---describes everything a client needs to know to interact with an XML web service
• HTTP---Hypertext Transfer Protocol---Communication protocol used to send XML web service requests and responses over the Internet
• SOAP---Simple Object Access Protocol ---To encode information in XML Web service messages.
• UDDI---Universal Description, Discovery, and Integration---repository of XML Web service links
Steps at server and clientAt server:1. Create a dedicated virtual directory to host the XML web services on the
web server, using IIS.2. Code the XML Web Service class using [WebMethod] attribute for each
method that is remotely callable.3. Deploy the web services files to the virtual directory
At client1. Find the web services2. Request the WSDL document that describes the XML web service.3. Generate a proxy class based on the WSDL document (done
automatically in .Net)4. Client makes calls to the proxy. Proxy handles all the communication with
the server. (This is generated at development time. If the service changes, the proxy class must be regenerated manually.)
Role of IIS
• IIS (Internet Information Services) is the software that allows a computer to become a Web server
• localhost refers to current computer• It provides access to the web server through
virtual directories• Virtual directories don’t have the same
permissions as normal directories• It handles local computer’s internet exposure
More ….
• Every .asmx file contains a reference to one XML Web service (with zero or more methods)
• A given virtual directory may contain any number of .asmx files
• A web server can contain any number of virtual directories
• Visual Studio .Net compiles all Web Services in an application into a single dll assembly.
Data Types Supported in Web Services
• Basic data types: int, float, bool, dates/time, strings, etc.
• Enumeration: Enum• Arrays and collections: Arrays and simple
collections of any supported type• DataSet objects: They are returned as simple
structures, which .Net clients can automatically convert to full Dataset objects. DataTable objects and DataRow objects are not supported.
• Custom objects: Any object created based on a custom class or structure may be passed.
Web Service Authentication
• Basic authentication• Basic authentication over SSL• Digest authentication• Integrated windows authentication• Forms authentication• Forms authentication over SSL• Passport authentication• Custom authentication
Forms Authentication in WS
• Some refer to this as custom authentication since the consumer of WS is not a physical user but a program; so HTML page can’t be put up as is usually the case
• Several need to be set up for this task
Database setup
• Let us say the database is dotnetsecurity
• Create a new table “users” in the SQL database
• Attributes: MemberName (varchar (50)), MemberPassword (varchar(50)), any other attributes
FormsAuthentication Setup-web.config
<authentication mode = “Forms”>
<forms loginurl=“xyz.asmx”, --where user will be redirected to
name = “xyzcookie”, --name of the authentication cookie
protection=“all”, ---encryption + validation
path= “/”, ---path for the cookie
timeout = 5 /> ---length of the time cookie lasts in minutes
</authentication>
<machineKey decryptionKey = “………….” />
Since web services requiring high availability generally run on several servers, it is important to have the decryption key for the authentication key be not machine specific. Use a key generator (say from google) to generate a key and place it above.
Authorization
• Deny all anonymous users
<authorization
<deny users = “?” />
</authorization>
Xyz.asmx file
• Add a new web service to the project and name it xyz.asmx.
• Go to top of xyz.asmx.cs and add • using System.Web.Security• using System.Data.SqlClient
• Write a new SignIn webmethod for forms authentication
SignIn method in xyz.asmx[WebMethod (Description =“Verifies the user credentials”)]Public bool SignIn(string sMemberName, string sMemberPassword){SqlConnection conn = new (SqlConnection (“server=localhost;….);conn.Open();String sSQL = “SELECT MemberName, MemberPassword from users where
MemberName = sMmeberName and MemberPassword=sMemberPassword”;SqlCommand cmd = new SqlCommnad (sSQL, conn);SqlDataReader Rdr = cmd.ExecuteReader(CommandBehavior.CloseConnection);if (Rdr.Read()){ if Rdr[“MemberName”].ToString() == sMemberName && Rdrd[“MemberPassword”].ToString() == SMmeberPassword){FormsAuthentication.SetAuthCookie(sMmeberName, true); //username and persistent cookie return true;}else return false;}else Rdr.Close();return false;}
Alternate: Custom SOAP Authentication
• SOAP headers are a convenient way to pass user credentials into a web service from a consumer application---the consumer application adds the info to SOAP headers and the web service retrieves them
• Thus, we don’t have to pass credentials as part of the parameters for every one of our WebMethods
SOAP Headers in a Web Service
• In web.config, set authentication mode = “None”
• Open xyz.asmx file, that contains web methods for our service, and add– Using System.Web.Services.Protocols;– Define a new class called SOAPAuthHeaderPublic class SOAPAuthHeader: SOAPHeader
{ public string MemberName; public string MemberPassword;}
• Add a SOAPHeader field type to the web service and apply the SOAPHeader attribute to the web service method.
public class xyz: System.Web.Services.WebService
{public xyz();
{ //CODEGEN }
Component Designer generated code
public SOAPHeader sHeader;
[WebMethod (Description = “Verifies the user credentials.”)]
[SoapHeader(“sHeader”, Direction=SoapHeaderDirection.InOut, Required=true)]
Now add another method called getCredentialMethod
public string getCrdentials()
{
if (sHeader.MemberName.Length > 0 && sHeader.Memberpassword.Length >0)
{
if (SignIn(sHeader.MemberName, sHeader.MemberPassword)==true)
return “Hello “ + sHeader.MemberName;
else return “SOAPAuthentication Failed”;
}
else return “zero length”;
}
Private bool SignIn(string smembername, string smemberPassword)
{…}
Reference Links
• http://www.xml.com/pub/a/ws/2003/03/04/security.html?page=1
• http://www.rassoc.com/gregr/weblog/stories/2002/06/09/webServicesSecurity.html
• http://xml.coverpages.org/ws-security.html• http://www.code-magazine.com/Article.asp
x?quickid=0307071• http://www.cgisecurity.com/ws/