Overview of Web Services Enhancements WSE 3'0

1
Overview of Web Services Enhancements (WSE) 3.0

• Name Jamie Hurley
• Title Principal Consultant
• Company NuSoft Solutions

2
.NET Web Services

• ASMX is the Web service implementation in the
  .NET Framework
• Supports basic profile for simple services
• Doesnt implement WS- specifications
• WSE is an extension to the .NET Framework
• Can be used to extend ASMX behavior
• Provides support for several WS- specs
• Fully supported product with customer support
• Indigo provides the next-generation
  implementation of Web services
• Provides a unified programming model for WS-,
  Messaging, Queuing, Transactions, etc.

3
WSE is Security
4
Secure CommunicationProtocol-level security
Encrypted
Encrypted

• Sender must trust intermediaries
• Message decrypted at intermediaries
• Encrypts the entire message
• Restricts protocols that can be used

5
Secure CommunicationEnd to End Security

• End to end message security independent of
  transport
• Supports multiple protocols and multiple
  encryption technologies
• Can encrypt parts of the message
• Sender need only trust ultimate receiver
• The signature is stored with the data

6
WSE 3.0 Pillars

• Build secure Web services - Easily
• Simplified development of Service- Oriented
  systems using the WS- protocols and the .NET
  Framework v2.0
• WSE 3.0 combined with .NET Framework 2.0 puts you
  on the path to Indigo
• Service-oriented programming model
• Messaging based systems

7
Turnkey Security ScenarioUsername Identity with
X509 Certificate
Internet
Intranet
Username/Password for Authentication
Confidential, signed request using a key
protected with the server certificate
Application Server
Authenticate username/ Password
Confidential, signed response using the supplied
key
8
Turnkey Security Scenarios

• Security scenarios based on industry best
  practices
• Each scenario is represented as a security
  assertion
• UsernameOverX509Security
• AnonymousOverX509Security
• UsernameOverTransportSecurity
• KerberosSecurity
• MutualX509Security

9
SecurityPolicy
Security is a deployment consideration

• Policy
• Only accept Username/Password for claim, signed
  and encrypted with server certificate
• Only callers who are in the Manager role

• Policy
• Only accept Kerberos

10
Policy in WSE 3.0

• Describes requirements for incoming and outgoing
  messages as a policy assertion
• Makes security a deployment decision
• Policy files are simplified
• Simplifies security through the turnkey security
  assertions
• New object model for policy
• In WSE 3.0 policy can be specified via
  declarative configuration or in code
• // Set the ClientPolicy onto the proxy
• serviceProxy.SetPolicy("ClientPolicy")

11
Policy Pipeline Architecture
Policy assertions transform the message
Policy describe an input pipeline
Input Soap Message
Security
Custom
Tracing
Application Processing
Output Soap Message
Security
Custom
Tracing
and an output Pipeline
12
Securing an ASMX Web Service with Policy and
Turnkey Security Assertions
13
VS2005 and .NET v2.0 Integration

• Integrated tool support with Visual Studio 2005
• Extend ASMX programming model
• Alternative transports e.g. TCP
• Hosting environments e.g. Console apps
• Performance Improvements
• Faster signing and XML
• processing
• Messaging APIs remain
• SoapClient, SoapService

14
Extend ASMX programming Model Example ASMX Web
Service that communicates over TCP hosted in a
console application
public class StockService System.Web.Service
s.WebService WebMethod public StockQuote
StockQuoteRequest(string symbols)
static void Main(string args) Uri to
new Uri( "soap.tcp//StockService/StockQuote") E
ndpointReference EPR new EndpointReference(to)
SoapReceivers.Add (EPR, typeof
(StockService))
15
Calling an ASMX Web Service via TCP
16
Message Level Security for Large Amounts of Data

• Message Transmission Optimization Mechanism
  (MTOM)
• MTOM replaces DIME WS-Attachments support
• Benefits
• Composes with WS-Security to protect the data as
  well as the SOAP message
• Simplified programming model
• Wire level reduction in the size of the message.

17
Message Level Security for Large Amounts of Data

• A service is marked as supporting MTOM
• Configuration setting indicates whether endpoint
  never, always or optionally supports MTOM
• Any byte type over a threshold value is
  serialized as an MTOM attachment in the SOAP
  message
• WebMethod
• public byte GetFileAsBytes (string fileName)
• return CreateFileAsBytesResponse
  (fileName)

18
Sending Large Amounts of Data with MTOM
19
Secure Conversation Session
Request for SCT
SCT Issued to client
Multiple messages Signed and encrypted with SCT
Server
Client
20
Session Management

• Stateful SCTs
• WSE 2.0 required the service to maintain an SCTs
  state
• In WSE 3.0 the state may be preserved with the
  SCT
• Enables SCTs to re-establish conversations
• SCT Cancellation
• In WSE 2.0 SCTs have a timeout
• WSE 3.0 provides the ability to cancel a session

21
WSE Futures Compatibility

• WSE 2.0 will be available on .NET v2.0 but
• Runtime only support, no design time support
• 32 bit only
• Breaking changes when moving to WSE 3.0
• Side by side compatibility for all major versions
• Interoperability with WSE 2.0 to WSE 3.0 or
  Indigo is not supported

22
WSE 3.0 - The Road to Indigo

• Wire level interoperable with Indigo Beta 1
• WSE 3.0 investment is maintained
• Support for standard interoperable security
  scenarios
• WSE turnkey security assertions Indigo
  security binding elements
• WSE 3.0 runs side-by-side with Indigo
• Upgrade guidance will be
• provided from WSE 3.0 to Indigo

23
(No Transcript)
24
Turnkey Security Assertions

• Scenarios based on industry best practices
• UsernameOverX509
• Client authenticates with username/password
• Confidentiality provided by server certificate
• AnnonymousOverX509
• Client is not authenticated by the server
• Confidentiality provided by server certificate
• UsernameOverTransport
• Client authenticates with username/password
• Confidentiality provided by transport (SSL)

25
Turnkey Security Assertions

• Kerberos
• Client and server authentication and
  confidentially provided by Windows Key
  Distribution Center (KDC)
• MutualX509
• Client and server authenticate each other via
  certificates, which are used for confidentiality
• Requires WS-Security 1.1 support
• X509MutualAuthenticationProfile
• Client and server authenticate each other via
  certificates, which are used for confidentiality
• WS-Security 1.0 compliant