Configuring a Web Server to Support Secure SSL-Based Connections

Before a web server can support a secure connection, the web server must have software that implements the secure sockets layer (most web servers do) and the server must have a digital certificate. The digital certificate provides the public key the server will send to the client that the client uses to encrypt the message that contains the session key. Website administrators obtain digital certificates for their sites from a Certificate Authority, such as VeriSign. As briefly discussed, before a Certificate Authority will provide a company with a web server certificate, the Certificate Authority will investigate and authenticate the company.

To help developers test their applications, VeriSign lets programmers download and install a temporary server certificate (one that is valid for only a few weeks). If your PC does not have a server certificate, you can download a temporary certificate from the VeriSign website that you can use to test the secure web services this chapter presents.

Depending on the operating system you are using, the steps you must perform to use a server certificate will differ. The VeriSign website provides detailed instructions for the steps you must perform to request the digital certificate and describes how to later install the certificate for use on your system.

Keep in Mind that SSL Protects the Exchange of Data Across the Network Only

When you use the secure sockets layer to create a secure connection between a client and server, SSL will encrypt the data that travels from the transport layer on the client side to the transport layer on the server and vice versa, as shown in Figure 9.19.

click to expand
Figure 9.19: SSL encryption stops before data reaches the application.

Keep in mind that above the transport layer, the applications may need to take steps to protect the data. For example, assume you create a web service that performs credit-card-based e-commerce operations. To send the user’s credit-card information to the web service, your program would likely use an SSL connection. After the service receives the data, it would likely need to store information about the transaction within a database. The steps the web service (or remote server) performs to secure the data is critical. If the server simply places the data within a database, a hacker who gains access to the site might gain access to the credit-card data. Further, programmers and network administrators who have access to the site might also have access to the sensitive data.

In the preceding sections, you learned how public-key encryption works and about the processing the secure sockets layer performs. In the sections that follow, you will learn how to create secure connections between a client program and a web service. In addition, you will learn how to restrict access to a web service to only secure connections. Meaning, if a program tries to connect to the service across a connection that does not use SSL, methods within the service can detect the unsecure connection and not perform their processing.

Connecting to a Web Service Using a Secure Connection

To create a web service for use across an SSL connection, you do not need to do anything different from the steps you have used to create web services throughout this book. That’s because, the web service sits above the SSL software. In other words, the code for a web service that uses an SSL-based connection is no different from the code for a web service that does not.

To better understand how a web service interacts with an SSL link, create the LinkType web service that provides the TestSSL method that returns the value true if the service is connected to an SSL link and false otherwise:

Boolean TestSSL()

To create the LinkType service, perform these steps:

  1. Within Visual Studio .NET, select the File menu New Project option. Visual Studio .NET will display the New Project dialog box.

  2. Within the New Project dialog box Project Types list, click Visual Basic Projects. Then, within the Templates field, click ASP.NET Web Service. Finally, within the Location field, specify the folder within which you want to store the program and the program name LinkType. Select OK. Visual Studio .NET will display a page onto which you can drag and drop the service’s components.

  3. Select the View menu Code option. Visual Studio .NET will display the program’s source code. Within the source code add the LinkType.asmx program statements as shown below.

    <WebMethod()> Public Function TestSSL() As Boolean     If Context.Request.IsSecureConnection() Then         TestSSL = True     Else         TestSSL = False     End If End Function
  4. Select the Build menu Build Solution option to build the web service.

The TestSSL method uses the Context object to determine if the underlying communications link is secure. If so, the method returns true. Otherwise, the method returns false.

Using your browser, connect to the web service by specifying the URL http://localhost/ LinkType/Service1.asmx. Click on the TestSSL link and then use the Invoke button shown in Figure 9.20 to call the method.

click to expand
Figure 9.20: Calling the LinkType web service TestSSL method within a browser

Because you invoked the service using the http:// prefix, which is not secure, the TestSSL method will return the value false, as shown in Figure 9.21.

click to expand
Figure 9.21: The http:// prefix creates an unsecure connection.

Then, invoke the service again, this time, using the https:// prefix to create a secure link. In this case, the TestSSL method will return the value true as shown in Figure 9.22. Note that when the server returns the method’s result, which the browser displays in a new window, the server also uses a secure (https://) connection.

click to expand
Figure 9.22: The https:// prefix creates a secure connection.

Making an SSL Connection Mandatory for a Program to Use a Web Service

Normally, when you have a web service that works with sensitive data, you will want to restrict the service to run only when the client program (or user) has specified a secure connection. One way to enforce the requirement for an SSL connection is to direct IIS to require such a connection before it will grant access to the folder that contains the service, by performing these steps:

  1. Select the Start menu Settings option and choose Control Panel. Windows will open the Control Panel window.

  2. Within the Control Panel window, double-click the Administrative Tools icon. Windows will open the Administrative Tools window.

  3. Within the Administrative Tools window, double-click the Internet Services Manager icon. Windows will display the Internet Services Manager window.

  4. Within the Internet Services Manager window, select the website that contains the web service for which you want to require SSL operations. Click on the plus sign that precedes the website. The Internet Services Manager will display a list of folders on the corresponding website.

  5. Within the folder list, locate the folder that corresponds to the web service you desire. Right-click the folder and select Properties from the popup menu that appears. Windows will display the folder’s Properties dialog box.

  6. Within the folder’s Properties dialog box, select the Directory Security tab and then choose the Edit button, which appears near the bottom of the dialog box within the Secure Communications field. Windows will display the Secure Communications dialog box as shown in Figure 9.23.

    click to expand
    Figure 9.23: Using the Secure Communications dialog box to require an SSL connection for a web service

    Note 

    As discussed, you must have a server security certificate on your system before you can perform SSL operations.

  7. Within the Secure Communications dialog box, place a checkmark within the Require secure channel (SSL) check box and then choose OK. Continue to click OK to close the remaining dialog boxes.

If you use your browser to connect to a web service that requires an SSL connection, and you do not specify https://, you will encounter an error, as shown in Figure 9.24.

click to expand
Figure 9.24: Trying to connect to a site that requires a secure connection without https will result in an errir.

Second, you can use the Context object within a web service as follows to prevent a method from executing if the connection is not secure:

If Context.Request.IsSecureConnection() Then    ' Perform processing here Else    Dim Ex As New Exception("Service requires SSL/https://")    Throw Ex End If

As you can see, if the connection is not secure, the code will generate an exception. The SSLOnly web service in the SSLOnly.asmx.vb listing below uses the code within the SecureHello method. To create the SSLOnly web service, perform these steps:

  1. Within Visual Studio .NET, select the File menu New Project option. Visual Studio .NET will display the New Project dialog box.

  2. Within the New Project dialog box Project Types list, click Visual Basic Projects. Then, within the Templates field, click ASP.NET Web Service. Finally, within the Location field, specify the folder within which you want to store the program and the program name SSLOnly. Select OK. Visual Studio .NET will display a page onto which you can drag and drop the service’s components.

  3. Select the View menu Code option. Visual Studio .NET will display the program’s source code. Within the source code add the SSLOnly.asmx.vb program statements shown below.

      <WebMethod()> Public Function SecureHello() As String      If Context.Request.IsSecureConnection() Then        SecureHello = "Hello SSL World"      Else        Dim Ex As New Exception("Service requires SSL/https://")        Throw Ex      End If    End Function

  4. Select the Build menu Build Solution option to build the web service.

Again, using your browser, you can test the service using both an http:// and https:// connection. If you connect to the service using an unsecure connection, the service will generate the exception, which will appear as an internal server error within your browser, as shown in Figure 9.25.

click to expand
Figure 9.25: Connecting to the SSLOnly web service using an unsecure connection generates an exception.

Calling a Web Service Across an SSL Connection

Depending on how you integrate a web service, the steps you must perform will differ. To begin, if you have not yet added a web reference for the service, simply precede the web service’s WSDL reference with an https:// prefix within the Add Web Reference dialog box, as shown in Figure 9.26. Then build and run the application. The program will automatically use SSL to call the web service.

click to expand
Figure 9.26: To create an SSL-based link to a web service, specify https:// when you reference the service’s WSDL.

For example, the C# program UseLinkType.cs in the listing below calls the LinkType web service TestSSL method that returns the value true or false based on whether or not the connection is secure. To create the program, perform these steps:

  1. Within Visual Studio .NET, select the File menu New Project option. Visual Studio .NET will display the New Project dialog box.

  2. Within the New Project dialog box Project Types list, click Visual C# Projects. Then, within the Templates field, click Windows Application. Within the Name and Location fields, type SendUsernameInfo. Select OK. Visual Studio .NET will display a form onto which you can drag and drop the program’s controls.

  3. Using the Toolbox, drag and drop the text box previously shown in Figure 9.4 onto the form.

  4. Select the Project menu Add Web Reference option. Visual Studio .NET will display the Add Web Reference dialog box.

  5. Within the Address field, type https:/Localhost/LinkType/Service1.asmx?WSDL (note the https:// prefix) and press Enter. The dialog box will load the file’s contents. Click on the Add Reference button.

  6. Select the View menu Code option. Visual Studio .NET will display the program’s source code. Within the source code add the UseLinkType.cs program statements shown below.

    private void Form1_Load(object sender, System.EventArgs e) {     localhost.Service1 WebObj = new localhost.Service1();     try     {         if (WebObj.TestSSL())         textBox1.Text = "Using an SSL-based secure connection";         else         textBox1.Text = "Using an unsecure connection";     }     catch (Exception Ex)     {         textBox1.Text = Ex.Message;     } }

When you run the program, your screen will display the output shown in Figure 9.27, which indicates that the program called the service using SSL.


Figure 9.27: Using a .NET program to connect to a web service over an SSL link

If you are rebuilding a program that already contains a web reference for a web service that you now want to call using SSL, you must edit the reference’s WSDL file, changing http:// prefixes in the reference to https://. For example, assume that you previously placed a web reference to the LinkType object using http:// to reference the web service’s WSDL statements. Within Visual Studio .NET, you can edit the WSDL file Visual Studio .NET added to the project when you previously added the web reference by performing these steps:

  1. Open the Solution Explorer window.

  2. Within the Solution window, locate the entry for the web service and expand the entry by clicking the plus sign.

  3. Double-click the service’s WSDL file. Visual Studio .NET will open the file for editing.

Scroll to the bottom of the WSDL file and locate the URLs that correspond to the service methods. Then, change each of the method URLs to use the https:// prefix, as shown in Figure 9.28. Next, you must perform similar steps to use Visual Studio .NET to edit an entry within the web service’s Reference.map file.

click to expand
Figure 9.28: Editing URL entries within a WSDL file to specify an https:// prefix

Note 

Rather than editing the service’s WSDL and map files, many programmers find it easier to delete the current reference to the web service from the program and then add a new web reference that uses the https:// prefix to specify the service’s WSDL.




. NET Web Services Solutions
.NET Web Services Solutions
ISBN: 0782141722
EAN: 2147483647
Year: 2005
Pages: 161
Authors: Kris Jamsa

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net