1. | You have developed an XML Web service that requires a shared assembly to be installed into the global assembly cache (GAC). You need to create a technique for the Web service to be installed on your customers’ web servers. Which one of the following methods is most suited for this type of deployment?
|
|
2. | You are the developer of a simple XML Web service that returns weather information to its consumers. You have created the XML Web service by using Visual Studio .NET. The Visual Studio .NET solution is named myWeather, and the Web service project is named weatherService. What should you do to create a setup program for the weatherService Web service?
|
|
3. | You are the developer of several XML Web services that your company exposes for its customers. You would like your customers to be able to see all of the public XML Web services that you offer. Some of your customers will be using Visual Studio .NET, and others might be using Java and other tools to consume your services. Which of the following files should you create?
|
|
4. | You are the lead developer of your company’s XML Web services. You would like to publish the services into a UDDI registry, but first you must create the appropriate XML document to send to the registry. In which element will you specify information about your company?
|
|
5. | You are developing an XML Web service that will require its consumers to authenticate over the Internet. You want to use your existing Windows infrastructure, so you have chosen to use Windows authentication. Many of your clients use their Internet browser to invoke the service. What type of authentication would you configure to allow for the highest amount of compatibility across browsers and through corporate firewalls, yet still verify who is and isn’t allowed to access the service?
|
|
6. | You have developed an internal XML Web service, named enterTime, that is used by employees of your company to enter their billable time. Your company uses Windows 2000 Active Directory to authenticate its users throughout the LAN. The enterTime Web service will be used only by employees who are locally attached to the corporate LAN. Which of the following elements would you put into the web.config file of your web application to achieve the highest level of security?
|
|
7. | You are the lead developer of an XML Web service that calculates estimated shipping time between two locations. This service is designed to be used only by active customers. You want to implement your own custom authentication by using Microsoft SQL Server. You have decided to pass the credentials in custom SOAP headers and have set the authentication mode to None in the web.config file. What additional task must you perform to validate the credentials that are passed with the WebMethod call?
|
|
8. | You are the developer of an XML Web service that is restricted and allows only employees of your company to access it. The service is configured for Windows authentication. What is the fastest way to prevent a specific group from accessing the service1.asmx file?
|
|
9. | The following XML content is located in the web.config file:
<location path="weatherService.asmx" > <system.web> <authorization> <deny users="?" roles="Guests, Consultants" /> <allow users="Thatcher, Tami, Rena" roles="Employees" /> </authorization> </system.web> </location> Joe, Steve, and Jane are members of the Employees role. Thomas and Rena are members of the Consultants role. Which of the following users are allowed to invoke the Web service? (Choose all that apply.)
|
|
10. | You create an XML Web service named getRecipe. You need to make sure that the service meets the following URL authorization requirements:
You have configured IIS to meet these requirements. Which of the following code segments should you put in the application’s web.config file?
|
|
11. | You are creating an XML Web service that returns highly secure data to the Web service consumer. You create a class that derives from the SoapExtension class. Which method should you override in order to intercept the serialization process?
|
|
12. | You are the developer of an XML Web service that processes credit card transactions for various e-commerce websites. You need to make sure that the credit card number that is transferred to your service is secure. The websites that use your service also want to make sure that they are transmitting the information only to your site. Which of the following technologies should you use to prevent the data from being intercepted on the Internet while requiring the least amount of developer effort?
|
|
13. | You have created a new XML Web service named Prices that exposes a Web method named getBestPrice that you would like to publish to a UDDI registry. You have already created <businessEntity> and <tModel> information, but you still need to provide an entry point for your service. Which of the following URLs would you use?
|
|
14. | In order to allow an XML Web service consumer to specify the network credentials to pass into a Web service call, what property of the proxy object would you set to a NetworkCredential instance?
|
|
15. | You are the developer of an XML Web service that accepts credit card information over the Internet. In certain circumstances a browser is used as the client, and you want to prevent a consumer from sending the credit information by appending it to the URL of the Web service. Which of the following XML segments should be assigned for this service?
|
|
Answers
1. | B Because of the requirement to install an assembly in the global assembly cache, you cannot use XCOPY, or zero-impact, deployment. A discovery document and UDDI are used for locating and consuming XML Web services, not for installing/hosting them. You must create a setup program that installs the service and the assembly. |
2. | C The Package And Deployment Wizard was used to create installer packages for previous versions of Visual Studio. The Web Setup project cannot be added to another project, but only to a solution that contains the project to create the setup program for. Therefore, the third answer is the only possible correct answer. |
3. | B The standard should be a .disco file conforming to the xmlsoap.org standard. A .vsdisco file is a proprietary Visual Studio .NET discovery file and doesn’t follow the standards that non–Visual Studio .NET consumers would be looking for. An HTML file might be useful to provide more information about your services, but it isn’t a standard or a part of discovery. The .asmx file is the actual service, not the discovery information regarding it. |
4. | A The <businessEntity> element is used to describe the responsible party for the service in the UDDI registry. The <businessService> element describes the service, the <bindingTemplate> element describes the technical details of the service, and the <tModel> element specifies which standards the service meets. |
5. | A Basic authentication is compatible with most Web browsers, even though it transmits the passwords in clear text. Digest authentication is supported only by Internet Explorer 5 and above, and Integrated Windows authentication cannot pass natively through corporate firewalls. Configuring anonymous authentication prevents the service from verifying who is who.. |
6. | D Windows authentication will provide the highest level of security for this scenario. Forms and Passport authentication are not currently designed for XML Web services, nor are they as secure as Windows authentication. Configuring the authentication mode to None would require that you implement a custom authentication mechanism, which is needed given this scenario. |
7. | B. If you are implementing custom authentication, you must write the code that verifies the credentials that the consumer supplies. There is no need, in this scenario, to create users in Active Directory. NTFS permissions aren’t required because you are implementing custom authentication. |
8. | A Given the scenario and the list of options, the best answer is using file-based authentication (NTFS file security). The second answer would work but it would require more time to configure than the first answer. In addition, the second answer would require the service to be recompiled each time that the roles that are allowed to access the service are changed. There is no <allowed> element that is recognized in the web.config file. Finally, anonymous access does nothing to restrict access to individual services. |
9. | A, B, E Thomas and Rena are denied access through their membership in the Consultants role. Because Rena’s <deny> element is encountered before her <allow> element, she will be denied. |
10. | B The elements are validated one by one. First, you must deny anonymous users: <deny users="?" />. Next, deny tAnderson: <deny users="tAnderson" />. Finally, allow the Cooks role: <allow roles="Cooks" />. The first answer is incorrect because it allows all users in first. The third answer is formatted incorrectly. The last answer allows all users before denying anonymous users and would allow tAnderson to invoke the service. |
11. | A You should override the extension’s ProcessMessage method. The SoapExtension class does not have a ProcessSerialization method. The BeforeSerialize and AfterSerialize are SoapMessageStages, not methods. |
12. | C Using Secure Sockets Layer (SSL) over HTTPS provides encryption of all the data, as well as a certificate authority (CA) verifying that the service is who it claims to be. A custom SOAP extension will not verify that the data is being sent to where it is intended; a third party must guarantee that. Custom SOAP headers don’t provide any type of encryption alone. |
13. | B The extension .asmx must be specified in the entry point. The third answer is incorrect, because it is referencing the Web method and should specify the value that it is passing: Prices.asmx?getBestPrice=1234. The last answer is incorrect because the WSDL document is not necessary for an entry point. |
14. | A The Credentials property of the proxy object is what should be valued and passed to the service. There isn’t an AuthInfo, Identity, or Principal property for all proxy instances. |
15. | B To prevent anyone from being able to send data to the service by appending it to the URL, you must prevent them from using an HTTP GET when requesting your service. The * is used to represent all users, and the ? represents only anonymous users. To prevent all users, you must deny everyone the ability to use the GET verb. |