WCF/WF - Webservice security - Asked By shekhar kumar on 11-Sep-08 03:20 AM

hi, I am new to WebService. I have created and a web service in one of my network computer and consumed it on my computer.By adding webreference. Now I want to secure that web service. How can I do it. Means there should be something like password when I add the service reference. Thanks Shekhar

will this help:Password-protecting a Web service operation - Binny ch replied to shekhar kumar on 11-Sep-08 03:24 AM

Procedure

  1. For the first Web service that you protect, make your own copy of the app_server_root/installableApps/SIBWSauthbean.ear file in a convenient location outside of the application server file system.
  2. To create the your_webservice.ear file, complete the following steps:
    1. Open a command prompt.
    2. Go to the app_server_root/util directory.
    3. Enter the following command:
      sibwsAuthGen location your_webservice_name
      where
      • location is the service WSDL location. For an outbound service, you need the target WSDL file that is located at an external Web address. For an inbound service, you need the template WSDL file that is located at the endpoint listener endpoint for the service.
      • your_webservice_name is the name of the service that you are securing, as defined in the location field of the WSDL file. This is case-sensitive.
      Note: To get the location details for a given inbound service WSDL file, publish the WSDL file to a zip file as described in Modifying an existing inbound service configuration, then look up the location within the exported WSDL file. Alternatively, you can retrieve the inbound service WSDL file by using the following standard Web services query:
      http://host_name:port_number/epl_context_root/soaphttpengine/bus_name/inbound_service_name/
      inbound_port_name?wsdl
      where host_name and port_number are the host name and port number for this application server, and epl_context_root is the context root of the endpoint listener application as described in Modifying an existing endpoint listener configuration.

      Examples of using the sibwsAuthGen command:

      (outbound service):
      sibwsAuthGen http://www.somecompany.com/targetservice/wsdl/targetservice.wsdl targetServiceName
      (inbound service):
      sibwsAuthGen http://your.server.name:9080/wsgwsoaphttp1/soaphttpengine/yourbus/yourservice/
      inboundport1?wsdl yourservicename
    The your_webservice.ear file is created in the current directory. There is also a temporary directory current_directory/ejb that you can delete.
  3. To finish assigning roles and protecting methods, complete the steps given in the topic Using assembly tools to Password-protect a Web service operation.
  4. To install the modified copy of the sibwsauthbean.ear file, complete the following steps:
    1. Check that the modified sibwsauthbean.ear file is stored in the convenient location outside of the application server file system that you chose in step 1. Keep the sibwsauthbean.ear file in this location for subsequent reuse and further modification.
    2. Start the WebSphere Application Server administrative console.
    3. In the navigation pane, select Applications > Install an Application.
    4. Use Install New Application to install the modified copy of the sibwsauthbean.ear file. Select the users or groups to assign to the roles when prompted.

Go through these links: - Binny ch replied to shekhar kumar on 11-Sep-08 03:25 AM

end of post

kerberos - Perry replied to shekhar kumar on 11-Sep-08 03:25 AM

Hi,

It will required so much work around but the Kerberos Authentication is the best way on web services security. You will need to pass use SSPI and need to get the user name and password and based on that generate the kinit and pass it to the server. In this situation of security nothing can be happend like snooping, spoofing, interception. It is secure all the way.

-Paresh

links - Perry replied to shekhar kumar on 11-Sep-08 03:27 AM

Hi,

If the procedure I have given you dont know then please go through the following links it will help you a lot.

http://en.wikipedia.org/wiki/WS-Security

www.gosecure.ca/SecInfo/library/WebApplication/webservicesec.ppt

www.codeproject.com/KB/webservices/WS-Security.aspx

www.microsoft.com/downloads/details.aspx?familyid=3E02A6C8-128A-47C2-9F39-4082582F3FE1

www.ibm.com/developerworks/webservices/library/ws-security.html

-Paresh

Securing Web Services With Username and Password - Binny ch replied to shekhar kumar on 11-Sep-08 03:28 AM
1.  Create an object that extends SoapHeader
2.  Add a property to your service class
3.Add the SoapHeader attribute to each or certain methods you wish to secure pass in the name of the property that is defined as the SoapHeader object in step 2.
4.  Create a method to process your SoapHeader for authentication
5.  Add validation to service method

Go through this link:
http://keithelder.net/blog/archive/2007/01/06/Securing-Web-Services-With-Username-and-Password.aspx
http://publib.boulder.ibm.com/infocenter/wasinfo/v6r0/index.jsp?topic=/com.ibm.websphere.pmc.express.doc/tasks/tjw_security_wslevel.html
chandra kumar replied to shekhar kumar on 11-Sep-08 05:19 AM

Hi,

   One simple solution to secure web service is to use Basic authentication  for the web service.

You can set Basic authentication (for the specific virtual directory which hosts web service) using IIS. 

You need to create a local user in the Web server (for example WSUser /WSPassword)with local logon rights so that Basic authentication works properly.

In the consuming application, use the following code when your proxy calls the Web Service.

//1.Create an instance of the CredentialCache class.
CredentialCache cache = new CredentialCache();

// 2.Add a NetworkCredential instance to CredentialCache - use the URL of the Web Service
cache.Add( new Uri(myProxy.Url), "Negotiate", new NetworkCredential("WSUser", "WSPassword", "Domain"));

//3.Assign CredentialCache to the Web service proxy
myProxy.Credentials = cache;

You can also use HTTPS with Basic Authentication for better security of web service.