.Net and Web Services Security

CS795

Web Services

• A web application• Does not have a user interface (as a traditional

web application); instead, it exposes a callable API, web methods, over the Internet

• Intended to serve other applications• It runs on a web server; listens for HTTP

requests for the methods• The requests are transmitted from client to

server in SOAP format. The results are sent back the same way (Simple Object Access Protocol)

XML Web Service - Foundations

• WSDL---Web Services Description Language---describes everything a client needs to know to interact with an XML web service

• HTTP---Hypertext Transfer Protocol---Communication protocol used to send XML web service requests and responses over the Internet

• SOAP---Simple Object Access Protocol ---To encode information in XML Web service messages.

• UDDI---Universal Description, Discovery, and Integration---repository of XML Web service links

Steps at server and clientAt server:1. Create a dedicated virtual directory to host the XML web services on the

web server, using IIS.2. Code the XML Web Service class using [WebMethod] attribute for each

method that is remotely callable.3. Deploy the web services files to the virtual directory

At client1. Find the web services2. Request the WSDL document that describes the XML web service.3. Generate a proxy class based on the WSDL document (done

automatically in .Net)4. Client makes calls to the proxy. Proxy handles all the communication with

the server. (This is generated at development time. If the service changes, the proxy class must be regenerated manually.)

Role of IIS

• IIS (Internet Information Services) is the software that allows a computer to become a Web server

• localhost refers to current computer• It provides access to the web server through

virtual directories• Virtual directories don’t have the same

permissions as normal directories• It handles local computer’s internet exposure

More ….

• Every .asmx file contains a reference to one XML Web service (with zero or more methods)

• A given virtual directory may contain any number of .asmx files

• A web server can contain any number of virtual directories

• Visual Studio .Net compiles all Web Services in an application into a single dll assembly.

Data Types Supported in Web Services

• Basic data types: int, float, bool, dates/time, strings, etc.

• Enumeration: Enum• Arrays and collections: Arrays and simple

collections of any supported type• DataSet objects: They are returned as simple

structures, which .Net clients can automatically convert to full Dataset objects. DataTable objects and DataRow objects are not supported.

• Custom objects: Any object created based on a custom class or structure may be passed.

Web Service Authentication

• Basic authentication• Basic authentication over SSL• Digest authentication• Integrated windows authentication• Forms authentication• Forms authentication over SSL• Passport authentication• Custom authentication

Forms Authentication in WS

• Some refer to this as custom authentication since the consumer of WS is not a physical user but a program; so HTML page can’t be put up as is usually the case

• Several need to be set up for this task

Database setup

• Let us say the database is dotnetsecurity

• Create a new table “users” in the SQL database

• Attributes: MemberName (varchar (50)), MemberPassword (varchar(50)), any other attributes

FormsAuthentication Setup-web.config

<authentication mode = “Forms”>

<forms loginurl=“xyz.asmx”, --where user will be redirected to

name = “xyzcookie”, --name of the authentication cookie

protection=“all”, ---encryption + validation

path= “/”, ---path for the cookie

timeout = 5 /> ---length of the time cookie lasts in minutes

</authentication>

<machineKey decryptionKey = “………….” />

Since web services requiring high availability generally run on several servers, it is important to have the decryption key for the authentication key be not machine specific. Use a key generator (say from google) to generate a key and place it above.

Authorization

• Deny all anonymous users

<authorization

<deny users = “?” />

</authorization>

Xyz.asmx file

• Add a new web service to the project and name it xyz.asmx.

• Go to top of xyz.asmx.cs and add • using System.Web.Security• using System.Data.SqlClient

• Write a new SignIn webmethod for forms authentication

SignIn method in xyz.asmx[WebMethod (Description =“Verifies the user credentials”)]Public bool SignIn(string sMemberName, string sMemberPassword){SqlConnection conn = new (SqlConnection (“server=localhost;….);conn.Open();String sSQL = “SELECT MemberName, MemberPassword from users where

MemberName = sMmeberName and MemberPassword=sMemberPassword”;SqlCommand cmd = new SqlCommnad (sSQL, conn);SqlDataReader Rdr = cmd.ExecuteReader(CommandBehavior.CloseConnection);if (Rdr.Read()){ if Rdr[“MemberName”].ToString() == sMemberName && Rdrd[“MemberPassword”].ToString() == SMmeberPassword){FormsAuthentication.SetAuthCookie(sMmeberName, true); //username and persistent cookie return true;}else return false;}else Rdr.Close();return false;}

Alternate: Custom SOAP Authentication

• SOAP headers are a convenient way to pass user credentials into a web service from a consumer application---the consumer application adds the info to SOAP headers and the web service retrieves them

• Thus, we don’t have to pass credentials as part of the parameters for every one of our WebMethods

SOAP Headers in a Web Service

• In web.config, set authentication mode = “None”

• Open xyz.asmx file, that contains web methods for our service, and add– Using System.Web.Services.Protocols;– Define a new class called SOAPAuthHeaderPublic class SOAPAuthHeader: SOAPHeader

{ public string MemberName; public string MemberPassword;}

• Add a SOAPHeader field type to the web service and apply the SOAPHeader attribute to the web service method.

public class xyz: System.Web.Services.WebService

{public xyz();

{ //CODEGEN }

Component Designer generated code

public SOAPHeader sHeader;

[WebMethod (Description = “Verifies the user credentials.”)]

[SoapHeader(“sHeader”, Direction=SoapHeaderDirection.InOut, Required=true)]

Now add another method called getCredentialMethod

public string getCrdentials()

{

if (sHeader.MemberName.Length > 0 && sHeader.Memberpassword.Length >0)

{

if (SignIn(sHeader.MemberName, sHeader.MemberPassword)==true)

return “Hello “ + sHeader.MemberName;

else return “SOAPAuthentication Failed”;

}

else return “zero length”;

}

Private bool SignIn(string smembername, string smemberPassword)

{…}

Reference Links

• http://www.xml.com/pub/a/ws/2003/03/04/security.html?page=1

• http://www.rassoc.com/gregr/weblog/stories/2002/06/09/webServicesSecurity.html

• http://xml.coverpages.org/ws-security.html• http://www.code-magazine.com/Article.asp

x?quickid=0307071• http://www.cgisecurity.com/ws/