Implementing Web Service Security

Cross-Platform Web Server Security

The security that utilizes authentication does not work the same as IIS under the Apache Web server. This creates a problem for the developer who is supporting Web Service security across multiple platforms. What if you need to support authentication type security for both Java and C#? The trick is to have one service proxy the request to another behind the firewall, or to use HTTPS for the two servers to communicate directly with each other.

In this scenario, you may have a large implementation of Java Web Services up and running, but you need to support authentication under .NET. Because the security schemes for IIS and Apache are largely incompatible, you could still support this by setting up a server running .NET and IIS and then using its authentication system to protect requests to your Java Web Services by having .NET call these services once IIS authenticates the request. This may also be useful if the enterprise has Web Services that are Java based running somewhere behind the firewall but the Web team only supports Microsoft products. Figure 10.15 shows the .NET Web Service proxying requests behind a firewall to Java Web Services running in an enterprise setting. Notice that by having a server in the DMZ, the firewall determines where requests go and what server’s machines have access to. Figure 10.16 shows two Web servers operating within the Demilitarized Zone (DMZ) and proxying requests to each other based on the system (.NET or Java) calling the objects.

click to expand
Figure 10.15: A .NET Web Services implementation proxying requests to a Java Web Services implementation behind the firewall.

click to expand
Figure 10.16: IIS and Apache Web servers sitting in the DMZ proxying requests to one another depending on the consumer who makes the request.

The following code snippet is from a .NET Web Service that calls a Java Web Service that comes with the Apache Axis distribution. With Axis’ ability to create WSDL that is compatible with .NET, creating a C# Web Service that calls an Axis Web Service is very easy. Once the Web Service is written, configure IIS as shown earlier in the chapter by choosing either Windows Integrated Login or Basic Authentication. When you try to preview the Web Service through the browser, a dialogue box pops up and asks you for a username and password.

    [WebMethod(Description="This method gets a stock symbol, passes it                              to a java ws and returns the value")]         public float getDelayedQuote(String symbol)         {           float myValue;           homer.ApacheDemoStockQuote myDemoStockQuote = new           homer.ApacheDemoStockQuote();           myValue = myDemoStockQuote.getQuote(symbol);           return myValue;          }

The previous snippet is typical of the other C# Web Services shown in the book except, instead of performing a function, it sends a request to a Java Web Service and returns the response. Note that the Web Service could call another .NET Web Service as well.


For proxying to work effectively, the two systems need to be somewhat close to each other or at least connected by a 100-megabit network. If any Internet tunneling occurs or a system connects through a T-1 connection, the proxying of Web Service requests will be very slow.

The following snippet is from a consumer written in C#. Notice that this event occurs in the method button1_Click indicates that this code comes from a GUI-based application.

Right before the code makes the first method code, the code creates the authentication credentials. So the consumer calls one Web Service with the appropriate credentials and the responding service then sends the request to the Java Web Service.

  private void button1_Click(object sender, System.EventArgs e)        {         float returnValue;         NetId.StockProxyService callProxy = new         NetId.StockProxyService();         callProxy.Credentials =         new System.Net.NetworkCredential("Some User","password");         returnValue = callProxy.getDelayedQuote();         textBox1.Text = returnValue;        }

This solves the security incompatibility because you use Windows Web Services to communicate with Windows consumers such as ASP.NET. Then through the back door you communicate with Apache Web Services via HTTPS. (Remember it is possible for Tomcat and .NET to run on the same Windows server.)

Cross-Platform Web Services Using C# and Java
Cross-Platform Web Services Using C# & JAVA (Charles River Media Internet & Web Design)
ISBN: 1584502622
EAN: 2147483647
Year: 2005
Pages: 128 © 2008-2017.
If you may any questions please contact us: