.Net and Web Services Security CS795 References • Video: http://www.asp.net/webforms/videos/authentication/simple-webservice-authentication Web Services • A web application • Does not have a user interface (as a traditional web application); instead, it exposes a callable API, web methods, over the Internet • Intended to serve other applications • It runs on a web server; listens for HTTP requests for the methods • The requests are transmitted from client to server in SOAP format. The results are sent back the same way (Simple Object Access Protocol) XML Web Service - Foundations • WSDL---Web Services Description Language--describes everything a client needs to know to interact with an XML web service • HTTP---Hypertext Transfer Protocol--Communication protocol used to send XML web service requests and responses over the Internet • SOAP---Simple Object Access Protocol ---To encode information in XML Web service messages. • UDDI---Universal Description, Discovery, and Integration---repository of XML Web service links Steps at server and client At server: 1. Create a dedicated virtual directory to host the XML web services on the web server, using IIS. 2. Code the XML Web Service class using [WebMethod] attribute for each method that is remotely callable. 3. Deploy the web services files to the virtual directory At client 1. Find the web services 2. Request the WSDL document that describes the XML web service. 3. Generate a proxy class based on the WSDL document (done automatically in .Net) 4. Client makes calls to the proxy. Proxy handles all the communication with the server. (This is generated at development time. If the service changes, the proxy class must be regenerated manually.) Role of IIS • IIS (Internet Information Services) is the software that allows a computer to become a Web server • localhost refers to current computer • It provides access to the web server through virtual directories • Virtual directories don’t have the same permissions as normal directories • It handles local computer’s internet exposure More …. • Every .asmx file contains a reference to one XML Web service (with zero or more methods) • A given virtual directory may contain any number of .asmx files • A web server can contain any number of virtual directories • Visual Studio .Net compiles all Web Services in an application into a single dll assembly. Data Types Supported in Web Services • Basic data types: int, float, bool, dates/time, strings, etc. • Enumeration: enum • Arrays and collections: Arrays and simple collections of any supported type • DataSet objects: They are returned as simple structures, which .Net clients can automatically convert to full Dataset objects. DataTable objects and DataRow objects are not supported. • Custom objects: Any object created based on a custom class or structure may be passed. Web Service Authentication • • • • • • • • Basic authentication Basic authentication over SSL Digest authentication Integrated windows authentication Forms authentication Forms authentication over SSL Passport authentication Custom authentication Forms Authentication in WS • Some refer to this as custom authentication since the consumer of WS is not a physical user but a program; so HTML page can’t be put up as is usually the case • Several need to be set up for this task Database setup • Let us say the database is dotnetsecurity • Create a new table “users” in the SQL database • Attributes: MemberName (varchar (50)), MemberPassword (varchar(50)), any other attributes FormsAuthentication Setupweb.config <authentication mode = “Forms”> <forms loginurl=“xyz.asmx”, --where user will be redirected to name = “xyzcookie”, --name of the authentication cookie protection=“all”, ---encryption + validation path= “/”, ---path for the cookie timeout = 5 /> ---length of the time cookie lasts in minutes </authentication> <machineKey decryptionKey = “………….” /> Since web services requiring high availability generally run on several servers, it is important to have the decryption key for the authentication key be not machine specific. Use a key generator (say from google) to generate a key and place it above. Authorization • Deny all anonymous users <authorization <deny users = “?” /> </authorization> xyz.asmx file • Add a new web service to the project and name it xyz.asmx. • Go to top of xyz.asmx.cs and add • using System.Web.Security • using System.Data.SqlClient • Write a new SignIn webmethod for forms authentication SignIn method in xyz.asmx [WebMethod (Description =“Verifies the user credentials”)] Public bool SignIn(string sMemberName, string sMemberPassword) {SqlConnection conn = new (SqlConnection (“server=localhost;….); conn.Open(); String sSQL = “SELECT MemberName, MemberPassword from users where MemberName = sMmeberName and MemberPassword=sMemberPassword”; SqlCommand cmd = new SqlCommnad (sSQL, conn); SqlDataReader Rdr = cmd.ExecuteReader(CommandBehavior.CloseConnection); if (Rdr.Read()) { if Rdr[“MemberName”].ToString() == sMemberName && Rdrd[“MemberPassword”].ToString() == SMemberPassword) {FormsAuthentication.SetAuthCookie(sMemberName, true); //username and persistent cookie return true;} else return false; } else Rdr.Close(); return false; } Alternate: Custom SOAP Authentication • SOAP headers are a convenient way to pass user credentials into a web service from a consumer application---the consumer application adds the info to SOAP headers and the web service retrieves them • Thus, we don’t have to pass credentials as part of the parameters for every one of our WebMethods SOAP Headers in a Web Service • • In web.config, set authentication mode = “None” Open xyz.asmx file, that contains web methods for our service, and add – Using System.Web.Services.Protocols; – Define a new class called SOAPAuthHeader Public class SOAPAuthHeader: SOAPHeader { public string MemberName; public string MemberPassword;} • References: http://www.codeguru.com/csharp/csharp/cs_webservices/security/article.p hp/c5479/Build-Secure-Web-Services-With-SOAP-Headers-andExtensions.htm http://www.codeproject.com/Articles/27365/Authenticate-NET-WebService-with-Custom-SOAP-Head • Add a SOAPHeader field type to the web service and apply the SOAPHeader attribute to the web service method. public class xyz: System.Web.Services.WebService {public xyz(); { //CODEGEN } Component Designer generated code public SOAPHeader sHeader; [WebMethod (Description = “Verifies the user credentials.”)] [SoapHeader(“sHeader”, Direction=SoapHeaderDirection.InOut, Required=true)] Now add another method called getCredentialMethod public string getCrdentials() { if (sHeader.MemberName.Length > 0 && sHeader.Memberpassword.Length >0) { if (SignIn(sHeader.MemberName, sHeader.MemberPassword)==true) return “Hello “ + sHeader.MemberName; else return “SOAPAuthentication Failed”; } else return “zero length”; } Private bool SignIn(string smembername, string smemberPassword) {…} Reference Links • http://www.xml.com/pub/a/ws/2003/03/04/ security.html?page=1 • http://www.rassoc.com/gregr/weblog/storie s/2002/06/09/webServicesSecurity.html • http://xml.coverpages.org/ws-security.html • http://www.codemagazine.com/Article.aspx?quickid=0307 071 • http://www.cgisecurity.com/ws/