When we talk about XML Web Service, people most concerned is their security.
Is XML Web Service safe?
In view of the fact that safety involves many aspects (such as authentication and authorization, data privacy and integrity, etc.) However, please do not underestimate the Microsoft® XML Web Service. Today, you can take many steps to create secure XML Web Service.
To resolve the security issues of XML Web Service, we need to consider the following questions:
What kind of purpose is to achieve? - Only authorized users to access XML Web Service; prohibiting others from viewing messages without authorization. How to achieve expected results? - Network, transport layer, OS, service or application. What level interoperability is needed in the solution? - Partial or global.
So, how do we ensure today's XML Web Service security? The answer is: first answer the above questions, then apply the same technique used to protect any other web application, namely:
Protect connection safety authenticate and authorize interactive operations
As you will learn below, these technologies provide a variety of options, you can combine these options to get additional effects. For example, a firewall can be used with XML Web Service to restrict access to certain functions (methods) based on the client's identity and the corresponding rules established.
Let us first review the various options to protect the existing infrastructure to understand their features.
Safety of protecting infrastructure
A secure XML Web Service is a secure infrastructure. Microsoft provides a wide range of technologies if these technologies are combined with the overall safety programs, and companies can effectively protect their IT structures. The correct implementation planning process includes:
Learn more about potential environmental hazards (such as viruses, hackers and natural disasters). Pre-analyze the consequences of danger-related security vulnerabilities and formulate countermeasures. Based on this understanding and analysis, create a well-planned implementation strategy to apply security measures to all aspects of the corporate network.
Protect connection safety
The easiest way to protect XML Web Service security is to ensure connection security between XML Web Service clients and servers. According to the range of networks and interactive activities, we can achieve this with a variety of technologies. The three most popular three technologies are: Based on firewall rules, safety socket layers (SSL) and virtual private networks (VPNs).
If you know which computers need to access your XML Web Service, you can use the firewall rule to limit access to a computer range of known IP addresses. If you need to limit your access to your computer (such as company's LAN / WAN), you don't have to worry about keeping the message content as a secret (encrypted), then this technology is very useful. Firewall (such as Microsoft Internet Security and Acceleration [ISA] Server) provides advanced policy-based rules that provide different restrictions on different clients depending on the original location or identifier of the client. This technology is useful when different clients access different features (methods) on the same XML Web Service.
A secure socket layer can be used to establish a secure connection on a non-managed network (e.g., Internet). SSL can encrypt and decrypt messages sent between clients and servers. With encrypted data, you can prevent messages from being read during transmission. SSL first encrypts the client's message and transfer it to the server. After the server receives the message, SSL will decrypt it and verify that the message is from the correct sender (this process is called authentication). Servers or clients and servers may have certificates that provide authentication capabilities in part of the connection encrypted process as part of the authentication process. Although SSL is a very effective way to create secure communications, its performance cost should be considered. Microsoft XML Web Service supports both integrated SSL in the client, also supports integrated SSL in the server. The virtual private network is an extension of a private network, which can connect to the shared network or public network (such as an Internet). VPN allows you to send data between two secure connections. VPN is similar to SSL, but VPN is a long-term point-to-point connection. This allows VPN to be applied efficiently to XML Web Service, but requires long-term connection and keeps running to achieve this effect.
Authentication and authorization
Authentication: Authentication is the process of verifying the logo, that is, verifying whether someone (or something) is consistent with the person (or object) claimed. The person is known as "partner". Authentication requirements evidence, called "credentials". For example, a client application can use a password as credentials. If the client application provides the correct credentials, it is considered to be consistent with the claimed person.
Authorization: After completing the authentication of the partner identifier, it can be authorized. The server determines access to certain access control information (eg, access control list [ACL]) by checking the parties. The client may have different access levels. For example, some clients can fully access XML Web Service; and other clients can only access certain operations. Some clients can fully access all data, and some clients can only access data from the subset, and some clients can only read only read access.
A simple and direct way to implement authentication in XML Web Service is to use the identity verification function of the protocol used in the information exchange. For most XML Web services, this means using HTTP authentication. Use Microsoft Internet Information Server (IS) and ISA servers with Windows 2000 servers to provide integrated support for HTTP to provide multiple authentication mechanisms.
Basic Authentication - Using the client's non-secure or semi-security identifier, because the username and password are sent in Base64 encoded text, the text is easy to decode. If the credentials match the valid user account, IIS will grant the client to access the XML Web Service permission. Basic authentication on SSL - the same as basic authentication, the only difference is that the communication channel is encrypted, which protects the username and password. For the Internet solution, this is a good choice, but using SSL will have a big impact on performance. Brief authentication - use hash to transfer client credentials safely. However, this method may not be widely supported by developer tools used to build an XML Web Service client. If the credentials match the valid user account, IIS will grant the client to access the XML Web Service permission. Integrated Windows Authentication - Mainly used in the Intranet solution. Use NTLM or Kerberos. The client must belong to the domain where the server is located or belongs to the managed domain of the server domain. If the credentials match the valid user account, IIS will grant the client to access the XML Web Service permission. Client Certificate on SSL - Requires each client to get a certificate. The certificate is mapped to the user account, and IIS will use these certificates to authorize access to XML Web Service. Although the current digital certificate has not been widely used, this is still a feasible choice for the Internet program. This method may not be widely supported by developer tools for building an XML Web Service client. This method can only be used through an SSL connection, so performance may be a problem that needs to be considered. From the perspective of the XML Web Service implementer, there is a benefit using any of the above authentication mechanisms, that is, there is no need to make code changes in XML Web Service, because the IIS / ISA server will execute before calling XML Web Service. All authentication and ACL authorization checks. However, when performing the client, you also need to complete some other work. The client application needs to respond to the server's authentication credential request.
Other methods for authentication in XML Web Service include: using third-party services (such as services in Microsoft® .NET Passport), use Microsoft ASP.NET session feature, or create a custom authentication method.
Next: Interoperability
You may find that today, standard techniques for Web application security can be used singly or in combination to create secure XML Web Service. These technologies are based on rich experience and are very effective. However, they did not provide integrated solutions in the XML Web Service architecture. As the XML Web Service is increasingly complex (such as cross-hosting boundaries, and distributed in multiple systems or enterprises), XML Web Service implementers need to create custom solutions that are valid but do not provide universal interoperability.
In order to meet these needs and enhance the interoperability of XML Web Service, Microsoft and its partners are developing a set of safety specifications. This specification is based on the extended mechanism of SOAP specifications, providing enhanced security protection features integrated into the XML Web Service structure.
