Summary

In this chapter, we looked at general security concerns with .NET Web services. We started with a general discussion of Windows security and how to use IIS to authenticate users prior to Web service execution. We also discussed how to use each of the IIS authentication methods and examined the differences between them.

We also looked at other types of authentication that don’t involve IIS, including a wrapper class for a Win32 function to log on Windows users.

Next we turned our attention to authentication, looking at the permissions that users can possess to access resources. You can test this by looking at role membership, or you can simply impersonate the user to gain access to whatever resources the associated Windows account has access to. Alternatively, you can use the account that ASP.NET runs under to access resources; you can configure this for a higher level of access to ASP.NET applications.

The last part of the chapter was concerned with secure communication. First we looked at SSL and how to use the HTTPS protocol to set up secure communication between Web services and clients. We also considered that SSL isn’t always the best option, and to address these concerns we put together a custom cryptography extension for Web services using the SOAP protocol.

You might be pleased to know that the latest SOAP and Web service developments have made many of the challenges discussed in this chapter a little easier. In the next few chapters, we’ll look at these additions, most importantly the Global XML Web Services Architecture (GXA). It is worth noting, though, that the principles we covered in this chapter apply to all the techniques you will see in those later chapters.