Video: Securing Web Services with WSE2.0

Presenter:Mike Taulty

Here we'll take a look at how we can gain authentication, integrity and privacy features for SOAP messages with WSE2.0 and WS-Security

The following text is a software generated transcript of the video. Click on a minute link to jump to a location within the video


Minute 0

Oh pounds welcome to the Scotland framework nugget session 1 in a series of short sessions which can find determinate looking at how we can get stuff done with the net framework minus m Tolkien I work in the developer and platform group in Microsoft in the UK and in this particular session by the deck and how we can secure exchanges of soap messages using the word service enhancements always the 2 0 update in this session we have to start with the whiteboard before we can mercury filled rights and code would it have no inference is that it is not obvious security and a long call than to be a security policy and it has a number of different security features really out there in three areas one is around authentication he sat out Saturday and Internet authentication the way we authenticate ourselves is by sending some kind of security token across the network so I send you a service to security token also has certain features for in

Minute 1

To service it is digital timing and it also has features for privacy of soap messages privacy analytically about digital encryption and can now enter the security tokens built into the box and spectacular to be a security threat three different kinds of tokens we have username we have cut Ross and we have ex rival and certificate based to the different ways that you can identify yourself he supports all three of those all you can build your own custom token either by starting from scratch or by making use of something that is already available here as a starting point I looked up ready username token of his particular session I had a caveat what I say here weird stuff that Keith Brown has written a great article about the security of this particular kind of token and associate it with your favourite search engine and printed by MSDN username Keith Brown and have a look at this particular article around the username token acute

Minute 2

Around what you would really have to do to get real security of working with this token because one way or another even if it s just as a hash listening does pass a form of a password across the network has a few design plaintext over a clear network stream of light and that s not a particularly secure a cake here we are in visual studio net 2003 man at a simple web service a simple client application for it but been unable with the filly is so these are already using a witty and proxy man done the web service is the one I have been using from most of these demos in a series where a century has had one operation gets an employee from Northlandand the kind is just a Consul application calls that Prince had a chance to consult federal secure this thing and initially will we can do it is understood if industry code am done with the outlook at the close of the web service or we could do perhaps at the point where some because

Minute 3

Effort we could start to make sure the Iraqi identified themselves in some way to is thought wanting we could do is we can look into the on the requests context of looking to request so context of current anti Thatcher hold of the security settings in there and all the tokens have been passed to us then if it is back to security token collection and can accordingly could do it we could so well is that certain I ll may be a more maybe if its son of a zero count again a school lesson because it are justly explicit then because they were not happy in with the surrounding exceptionally saying am not happy and can does one immediately rejected to say that if the person is going as providers any fellow security information whatsoever to free bill that at this point are naturally run Clive Woodward in an error saying that terminal services and happy at this point and then decided to

Minute 4

To try and make the service happy prisoners are not happy to the client we can start to proclaim provide and security information from the client so we can do on the proxy here we can get into its own and requests context and security section and into that focus collection we can add one of the security tokens that was the support and the question really is what kind of security token the simplest thing to show programmatically and bearing in mind the caveats evoked at the Keats article already iterator username token article at token and make the username token and you can see that this once I m in its simplest form a username and password all are using Patterson option about how we pass nothing across the network during the first those of us are username customise your password and El Paso across the network even plain text doses of missing offers secure at all and pretty bad and there is an excellent son and it s either that

Minute 5

Quoting this is a different kind of exception from the server side dissent that easier and faster to the service and is now time that is currently authenticated or authorised in the reason why this is happening is that by default with the username token the whizzy on the service I ve got to try and use a username and password to log into Windows and carry and then this is the behaviour of this username token anarchy and we can change that if we want to have the username and password tokens on an existing project to the solution and ever have this radical token manager which were just adding here every look at this go very quickly you see we have built our own username token manager and we ve overridden the way in which tokens are authenticated in this it is very very simple not that we secure stuff at all when you consider what this does is that it says that if the username is Mike the password is secret to we can configure this username token manager into project and users rather than the one that

Minute 6

Using by default and we do that I just swiping adhesive consideration information and you consider that it is coming from the security section which details the token marriage to be used for a particular kind of token I forgot that into a web service over here a scrabble conflict here and find them breakfast to drop that Andromeda never metres free run then we should fantasise it a different error back from a service because the underpasses matching this point so let s just go in fits and required to make the putts password match and a figure of the secret there rather than password we should find that this essentially works as one to make our service call and if we were to look at trace messages that look at the last Tracey of the message that went out of the client you had seen here that an essentially we ve put them US security

Minute 7

Promotion to the soap message and he can see the not so secret password going across the network and offices is not secure you to do this directly to be estimated secure a service site at the moment all we do is some were just checked it out Astrazeneca tokens whatsoever but naturally if there was a username token or October spoken coming across the network and it have been authenticated then with that token either one of these things if we just pulled it out of this collection which are not put the coding for right now if it is thought that this collection notice that we can get hold of the principle of the state gives a stand net I principle which we can use to work out who the person is okay so their name whether authenticated and so on and also whether very particular security roles so recover this is going to map down to Windows rolls and the username token by default it ll do the same thing or naturally look across at your own invitation of his enrolment role management and you can use those the

Minute 8

Make authorisation decisions so having done a bit of authentication work that is going on now you can start to say okay this method can be called by administrators or bank managers or whatever unlikely to give that it authorisations well being answered back on the client side than we can use this look is the other purposes so a couple of the most important purposes if we are back to the survivors I can easily to use his tokens to assign and encrypt the data that goes across the wire and in its simplest form it really is quite simply that what we can do is is going to the proxy gets requests complex security a section called elements and we can have things into that regular elements lad and this had anything emphasise security element and one of the things which does is a single the message signature because it was once very a token should give this open again I just added a signature to the message and similarly can go ahead and added

Minute 9

Do that think a section called encrypted data and again this is going to want to a token from us is we can add that in there and if we do this in rebuild than the messages are going from the client to the service at this point are now being an encrypted and signed a cave with the Scottish trestle and every disco have a look at that message that went from the client to the service answers are outlined here and it s outgoing message and within here essentially what we ve got now is an encrypted data we ve also got within here are some signature information to his signature value and a lot of information at how this if it has been produced in terms of canonical eyes in the XML in order to size and the young methods of use to the signature organisation notice that were still using unsecured username token at this point and all of this encryption

Minute 10

Random signatures being based on that took itself but we could in client application here is as close winners and stop the bloody good enough client application here also make use of the curve Ross tokens we could occur brass token and the delicate rustic and then essentially banned the construct is vital to know which machinery going to talk to what she hoping to do with the token we give it is helping to impersonators or not and then we can t effect five and nine security token in the same way these things are a somewhat interchangeable really here however it is very unlikely that anyone would really ever sit down and write code that looks like this on the client side all right code looks like this on the server side drug this kind of stuff you on the service that we check in his country s tokens are explicitly and the reason for that is because was he to plan and support of US policy Blacks quickly switch what we are doing so valid code

Minute 11

Briefing and what we can do with policy if it is well worth service you have no technology settings and pick its policy switch on policy and then replace the default policy with anyone to this lead me to a wizard which serves to obscure service a foreign and what you want to make happens I want to am that so signatures encryption on incoming messages and then it is at its entry had not identified a client in an all male brood with Kirk Ross at this point that were true of whom a Windows environment however I m not on my domain is on recording a song register with username still because we already have infrastructure of those that and we can go and add users and also at access services and a rough certificate for own encrypting the request or signing responses so lets that RMI server certificate there and I m done everywhere to put that in place for a business associate of US

Minute 12

Will see XML file that describes the policy be distilled in the dialogue you really want to get into reading that too much and close that our rerun all we should find out is that the application is sending a message across that the service is like an hand what we get is a message saying as we broken the policy were not not sending that it is compliant with the policy that the services apply cigarette to the client we can also give him a policy suffered recurrent signs of a procedure policy switch it on replace what s already there this time was securing the client we want to an encrypted excuse me in encrypts requests were going to use username tokens which skip the user stuff at the moment your certificate in order to the encryption on request allows us to forget their unfinished and anything will happen if we were to build and run this is that the client will then want to know which username token to put in the

Minute 13

Message could haven t given it one of the month as in forces that policy is what we ve done is gone and added into a particular cash of security tokens user token again so that is we will do this once ready for this application wouldn t do it on every sense of the message with an imposing figure and run we should see that messages across the service and comes back and endows a video at Rattray still from a Willacy that term for applications sent messages that sent across being am again authenticated using a username token was still sending a hash of that password solicitor not still not secure enough to ask his article to look at done that we are still getting our own encryption signing in the same way as before but they are sorry to go and write the code this time so we change that purely by building of a policy to the client side of the policies of the service side and it is much more pleasant and is much more likely to be an

Minute 14

If you go down this route of building to policies as you try to run explicit coach self now clearly what we ve done here is used that username token what we currently use in the real world will perhaps be the cover of token or maybe we would go ahead and use when I certificate in order to authenticate ourselves to the back and services well but only need some mechanism from mapping between the asylum and certificate and some kind of fat user identity on the back end servers not magically cardiac mapping them for you so just who is appearing one more thing has want to introduce very quickly it is the idea that the building of policy bigger bat role register s research and analytical and run to that dialogue again and replaces policy with a numeral I essentially the same as it had before was securing the service application of this going to use and at the technological secure conversation which is documented in the US secure conversation is considered are the same as we did

Minute 15

Or the celestial username token was still going to go on fixing certificate and there were finished at that point I will go and do the same thing on the clients on the client side now would replace that policy will go and secure clients secure conversation username token analogue of its own service certificate and finished secure conversation is doing for us if we look at this action is just done better files will advise on an unaccountable and messaging it should see the same result little for an equal service and get a response back and under we do if we don t look at this in the coastal was in interesting things happen to console application as he sent to message is received advances and so did the service so well that he had inhumanly using secure conversation client is an just sending one message behalf look in the trace was it the clients are

Minute 16

To outgoing messages and naturally the service received two messages one of them was sent and received by code you want was sent by is trying to make use of secure conversation to the first message goes across to the surface requesting a new kind of security token they can use to continue a conversation with that service and the thing is called a security concept token and somewhere in this bid slam of XML that comes and goes across the sky improves physical ideas ability to let another comes back to the kindness was luckier what is he coming back from the service flat first message is a security context and in who is here to the client gets that the bank and when it got it back the subsequent messages that it will centre the service will be an encrypted and signed and so on using this this token is opposed to the original use

Minute 17

And token fellow client sends a second message to the service it uses the security context token so here it is a fact that he derives in utero from her but he uses the security concept token to talk to the service as opposed to the original username token are several spoken or anything like that sort and it s not as if the very clearly by what we are delicately said one message the idea is we have an initial chat to the service and it gives as a token that we can use to continue the rest of archer and the idea here is that we get performance benefit fundamentally overran continually telling the service who we we can once think it is a token to that we can have a whole conversation in messages with it using that one token score the security context token analyses as definitive as in Lizzie is just all built in for you could see how easy it is to set up the winner reacted to any great overheads which disarm out with scot free arthritic ability

Minute 18

Oxygen with the setting is just a quick summary here with doctor analytically but no inference that you are security to be a security policy and of US secure conversation in order to provide us programming features and policy based features in securing soap messages without how we can provide their tokens in a soap message in order to give authentication capabilities likely to build authorisation on top of that is as well of course it can also digitally signed and it is incorrect service is given some integrity and some privacy finally we has looked at how we could use secure conversation and get that to just pointing and clicking and get that performance win over what we were doing by exchanging tokens every single time of sending a message where can you go to get more information about services well probably the best place to start would be an MSDN developer Santos that s just a Christian Microsoft com web services all one word this embrace the

Minute 19

There in a section on the left and cycled understanding Web services are some really green articles equally detonated the pitch of lots of non in this area and if the something is in specifically in this session only thinking panel in animals more information on that they feel free to drop me a mail and am told that Microsoft com has a seven screen their drop a line and I ll drop your response other than that I look forward to hearing seeing you next time thanks relativity

Click here to go to original video page