.Net and Web Services Security CS795
advertisement
.Net and Web Services
Security
CS795
References
• Video: http://www.asp.net/webforms/videos/authentication/simple-webservice-authentication
Web Services
• A web application
• Does not have a user interface (as a traditional
web application); instead, it exposes a callable
API, web methods, over the Internet
• Intended to serve other applications
• It runs on a web server; listens for HTTP
requests for the methods
• The requests are transmitted from client to
server in SOAP format. The results are sent
back the same way (Simple Object Access
Protocol)
XML Web Service - Foundations
• WSDL---Web Services Description Language--describes everything a client needs to know to
interact with an XML web service
• HTTP---Hypertext Transfer Protocol--Communication protocol used to send XML web
service requests and responses over the
Internet
• SOAP---Simple Object Access Protocol ---To
encode information in XML Web service
messages.
• UDDI---Universal Description, Discovery, and
Integration---repository of XML Web service links
Steps at server and client
At server:
1.
Create a dedicated virtual directory to host the XML web services on the
web server, using IIS.
2.
Code the XML Web Service class using [WebMethod] attribute for each
method that is remotely callable.
3.
Deploy the web services files to the virtual directory
At client
1.
Find the web services
2.
Request the WSDL document that describes the XML web service.
3.
Generate a proxy class based on the WSDL document (done
automatically in .Net)
4.
Client makes calls to the proxy. Proxy handles all the communication with
the server. (This is generated at development time. If the service
changes, the proxy class must be regenerated manually.)
Role of IIS
• IIS (Internet Information Services) is the
software that allows a computer to become a
Web server
• localhost refers to current computer
• It provides access to the web server through
virtual directories
• Virtual directories don’t have the same
permissions as normal directories
• It handles local computer’s internet exposure
More ….
• Every .asmx file contains a reference to one
XML Web service (with zero or more methods)
• A given virtual directory may contain any number
of .asmx files
• A web server can contain any number of virtual
directories
• Visual Studio .Net compiles all Web Services in
an application into a single dll assembly.
Data Types Supported in Web
Services
• Basic data types: int, float, bool, dates/time,
strings, etc.
• Enumeration: enum
• Arrays and collections: Arrays and simple
collections of any supported type
• DataSet objects: They are returned as simple
structures, which .Net clients can automatically
convert to full Dataset objects. DataTable
objects and DataRow objects are not supported.
• Custom objects: Any object created based on a
custom class or structure may be passed.
Web Service Authentication
•
•
•
•
•
•
•
•
Basic authentication
Basic authentication over SSL
Digest authentication
Integrated windows authentication
Forms authentication
Forms authentication over SSL
Passport authentication
Custom authentication
Forms Authentication in WS
• Some refer to this as custom
authentication since the consumer of WS
is not a physical user but a program; so
HTML page can’t be put up as is usually
the case
• Several need to be set up for this task
Database setup
• Let us say the database is dotnetsecurity
• Create a new table “users” in the SQL
database
• Attributes: MemberName (varchar (50)),
MemberPassword (varchar(50)), any other
attributes
FormsAuthentication Setupweb.config
<authentication mode = “Forms”>
<forms loginurl=“xyz.asmx”, --where user will be redirected to
name = “xyzcookie”, --name of the authentication cookie
protection=“all”, ---encryption + validation
path= “/”, ---path for the cookie
timeout = 5 /> ---length of the time cookie lasts in minutes
</authentication>
<machineKey decryptionKey = “………….” />
Since web services requiring high availability generally run on several servers,
it is important to have the decryption key for the authentication key be not
machine specific. Use a key generator (say from google) to generate a key
and place it above.
Authorization
• Deny all anonymous users
<authorization
<deny users = “?” />
</authorization>
xyz.asmx file
• Add a new web service to the project and
name it xyz.asmx.
• Go to top of xyz.asmx.cs and add
• using System.Web.Security
• using System.Data.SqlClient
• Write a new SignIn webmethod for forms
authentication
SignIn method in xyz.asmx
[WebMethod (Description =“Verifies the user credentials”)]
Public bool SignIn(string sMemberName, string sMemberPassword)
{SqlConnection conn = new (SqlConnection (“server=localhost;….);
conn.Open();
String sSQL = “SELECT MemberName, MemberPassword from users where
MemberName = sMmeberName and
MemberPassword=sMemberPassword”;
SqlCommand cmd = new SqlCommnad (sSQL, conn);
SqlDataReader Rdr = cmd.ExecuteReader(CommandBehavior.CloseConnection);
if (Rdr.Read())
{ if Rdr[“MemberName”].ToString() == sMemberName &&
Rdrd[“MemberPassword”].ToString() == SMemberPassword)
{FormsAuthentication.SetAuthCookie(sMemberName, true); //username and persistent cookie
return true;}
else return false;
}
else Rdr.Close();
return false;
}
Alternate: Custom SOAP
Authentication
• SOAP headers are a convenient way to
pass user credentials into a web service
from a consumer application---the
consumer application adds the info to
SOAP headers and the web service
retrieves them
• Thus, we don’t have to pass credentials as
part of the parameters for every one of our
WebMethods
SOAP Headers in a Web Service
•
•
In web.config, set authentication mode = “None”
Open xyz.asmx file, that contains web methods for our service, and add
– Using System.Web.Services.Protocols;
– Define a new class called SOAPAuthHeader
Public class SOAPAuthHeader: SOAPHeader
{ public string MemberName; public string MemberPassword;}
• References:
http://www.codeguru.com/csharp/csharp/cs_webservices/security/article.p
hp/c5479/Build-Secure-Web-Services-With-SOAP-Headers-andExtensions.htm
http://www.codeproject.com/Articles/27365/Authenticate-NET-WebService-with-Custom-SOAP-Head
• Add a SOAPHeader field type to the web
service and apply the SOAPHeader
attribute to the web service method.
public class xyz: System.Web.Services.WebService
{public xyz();
{ //CODEGEN }
Component Designer generated code
public SOAPHeader sHeader;
[WebMethod (Description = “Verifies the user credentials.”)]
[SoapHeader(“sHeader”, Direction=SoapHeaderDirection.InOut, Required=true)]
Now add another method called getCredentialMethod
public string getCrdentials()
{
if (sHeader.MemberName.Length > 0 && sHeader.Memberpassword.Length
>0)
{
if (SignIn(sHeader.MemberName, sHeader.MemberPassword)==true)
return “Hello “ + sHeader.MemberName;
else return “SOAPAuthentication Failed”;
}
else return “zero length”;
}
Private bool SignIn(string smembername, string smemberPassword)
{…}
Reference Links
• http://www.xml.com/pub/a/ws/2003/03/04/
security.html?page=1
• http://www.rassoc.com/gregr/weblog/storie
s/2002/06/09/webServicesSecurity.html
• http://xml.coverpages.org/ws-security.html
• http://www.codemagazine.com/Article.aspx?quickid=0307
071
• http://www.cgisecurity.com/ws/
