Chapter 11: Securing XML and Web Services

Overview

• Developing Secure Web Services

• Understanding the System.Security.Cryptography.Xml Namespace

• Working with the Global XML Architecture (GXA)

• Developing Applications with WS-Security

• Using the eXtensible Access Control Markup Language (XACML)

• Developing Applications with the Visual Studio .NET Passport Features

• Adding XML Digital Signatures to an Application

• Developing a Web Service Application Using COM+ 1.5

Web services hold a lot of promise for businesses. Because Web services use standardized ports, standards-based communication strategies, and pure text for content, they can cross boundaries thought unassailable by developers using older technologies such as DCOM and CORBA. However, the very strengths that help make Web services technologies such as SOAP so compatible also cause significant security problems. Do you really want to transmit secret information using a text-based SOAP message that anyone can read? This chapter demonstrates that Web services are inherently less secure than other technologies you use. However, the chapter also discusses strategies you can use to decrease the security problems and address the necessary monitoring requirements.

Part of the strategy for protecting your Web services investment is to use standardized security approaches. The .NET-specific approach is the System.Security.Cryptography.Xml namespace. In a larger sense, you also need to consider generalized Microsoft technologies such as those found in GXA. It’s also important to consider using standardized approaches such as WS-Security and XACML.

Web services don’t focus on just corporate data. As users begin interacting with your applications, you also need to consider the issue of privacy and personal data management. When you lose a piece of corporate data, the consequences can be dire, but they’re normally limited to your company and perhaps corporate partners. Personal data management incurs an additional level of burden that could cause problems well beyond simple data loss. Passport and the Liberty Alliance Project are two of several promising technologies for personal information management. Although the chapter discusses the Microsoft-supported Passport extensively because support for this technology appears in the .NET Framework, both technologies are valuable to a company that needs to manage personal information.

The next section of the chapter discusses XML digital signatures. Web services suffer from a lack of identification, as well as a lack of security. You don’t really know that a Web service comes from a specific source unless the underlying application is signed using a digital signature. This section of the chapter discusses how you can add a digital signature so others know the Web service they’re using actually comes from your company and not a cracker.

The final section discusses a special feature of COM+ 1.5. You can actually create a Web service application by checking a few simple options. Of course, developing a Web service application using this technique leaves all kinds of questions unanswered, such as whether the process is even safe.