Web Service Security - Options

Coordinator
Aug 14, 2007 at 8:22 PM
Okay, there are a few different options we can go with on the web service security. I've recently been researching a little bit about WSE 3.0 and WCF and found that in an internal or fully trusted hosting situation, that is by far the best way to go. It's a standardized option that uses simple policy files to enable authentication and encryption for your web services. To learn more about this, check out MSDN articles on WSE 3.0 or WCF and policy files. You'll need to download the WSE 3.0 extensions for Visual Studio (to make it easy) and the runtime components for your server.

Now for the rest of you guys using Medium Trust, shared hosting solutions (like me)... We kind of have to invent our own because in our deployment scenario we can't use WSE or WCF. From here we have few more options. We can create a secret key for the consumers so we can authenticate clients talking to web services in each function call, or we can use SOAP extensions and compress/encrypt the SOAP messages between the consumers and the server.

The best way to secure your web services is to make them authenticate consumers and encrypt the SOAP messages during transport using HTTPS. You can force HTTPS by checking this server side with the Request.ServerVariables object. You'll need to have HTTPS setup for your hosting solution also. Usually hosts like GoDaddy charge a few bucks for that.

To authenticate clients, I found the simplest way to do this is use a secret key string for each client. In all your web services, you can pass the key around as a parameter and validate it before performing any operations. This is the method I've used here in SingleSignOn except the key is dynamically generated and a session is created for each web service client. The current problem however, is that the sessions generated never expire and never get removed.

For some other projects I built a version of this SingleSignOn project where a shared key is setup for clients from the server, and then downloaded to a key file on the client. Then all web service consumers use the same key file to authenticate with the web services. This is the solution I want to implement here for SingleSignOn. So keep an eye out for updates with this change. They will be reflected in WorkItem 1129

What are your thoughts about this solution? Any other suggestions?

Thanks,
Nathan