Developer .NET UPDATE—brought to you by Windows & .NET Magazine Network.
THIS ISSUE SPONSORED BY
Microsoft ASP.NET Connections
Windows & .NET Magazine LIVE!
(below DEVELOPER .NET PERSPECTIVES)
SPONSOR: MICROSOFT ASP.NET CONNECTIONS
MORE SESSIONS, TOP QUALITY, UNBEATABLE VALUE
DevConnections Conferences provide more sessions at a lower cost than other events focused on Microsoft technologies.
Register today for either Microsoft ASP.NET Connections, VS.NET Connections, or SQL Server Magazine LIVE! and you'll get access to over 160 sessions and save $2,790.
This deal gets even better: Stay for the week and save $4,785 when you also register for either XML Web Services Connections or Windows & .NET Magazine LIVE!. Register for the entire week and you'll get access to five conferences and 240 sessions. Hurry before this offer expires:
October 15, 2002—In this issue:
1. DEVELOPER .NET PERSPECTIVES
- Making Secure Calls to Web Services
- Hey Denver and San Francisco! Got Security Concerns?
- Planning on Getting Certified? Make Sure to Pick Up Our New eBook!
3. NEW AND IMPROVED
- Combine Design and Development with Flowcharts
4. CONTACT US
- See this section for a list of ways to contact us.
1. DEVELOPER .NET PERSPECTIVES
(contributed by Bill Sheldon, [email protected])
Making secure calls to XML Web services might seem like a fairly straightforward task, but in reality, you have several options for managing security. Some options are limited by your application's architecture. Specifically, if you're using a browser-based interface to a Web service, you're limited in what you can manage.
Application architecture is probably one of the most misunderstood aspects of Web services. Most people associate Web services with Web sites and browser-based applications. However, as I discussed in last week's commentary, the real power of Web services is the role they can play in traditional client applications. The concept of Web services in browser-based applications is somewhat redundant. The advantages of using a Web service rather than a binary protocol include the ability to easily pass through firewalls and adjust for interoperability. Because browser-based applications tend to already offer these capabilities, the advantages of using Web services in browser-based applications are limited to the server side or exposing data interfaces for other applications. As a result, you have two primary security models from which to choose:
Generic Security Model
In an environment in which interoperability is key, the types of available security reflect those options that are available to any other Web application. Basic authentication is still the most portable form of authentication. Using Basic authentication with Secure Sockets Layer (SSL) as the transport layer provides security for both the data and credential information. Such a security model is likely familiar to you, but for additional information about this topic, see the excellent article "HTTP Security and ASP.NET Web Services".
Basic authentication in SSL is completely compatible with a Win Form client. Using SSL as the transport layer is reasonably self-explanatory. By setting up your Web service to be available on SSL, the Microsoft .NET Framework automatically manages the encryption of the messages. However, adding credentials to your Web request requires a minor customization to your code. The .NET Framework provides the NetworkCredentials class, which lets you pass specific credentials.
Using this class simply requires that your application either query the user or provide a valid username and password for the targeted server. After you have this data, you can use the following Visual Basic .NET code to set up a Web service request that's authenticated on the server:
Dim IISSvc As New WebServiceServer.MyService() Dim cred As New Net.NetworkCredential() cred.UserName = "User" cred.Password = "Password" IISSvc.Credentials = cred
This form of authentication is my favorite for all Web services. Not only is this form of authentication compatible with the majority of other clients, but it's also simple. Setting up a secure Web site is a task with which most development organizations are familiar, and this type of authentication matches a model you're probably already using. However, at times, you might need to enhance this basic security.
Advanced Security Model
If you need to move beyond the generic security model, you can explore two simple options: using the .NET Framework's encryption classes and using the proposed Web Services Security (WS-Security) standard. Each option has advantages and disadvantages.
Encryption classes are surprisingly easy to use. More important, they let you encrypt all or part of the data associated with a Web request. Thus, you don't need to encrypt the entire request as part of the transport protocol. Instead, you can encrypt only the portions of the message you need to secure. For example, you can encrypt just the strings that contain the username, password, and any other sensitive data.
You must define the encryption classes on both the client and the server. Such custom logic almost always requires you to implement a client-based application. Although I'm not going to go into the details of how to use the .NET encryption classes, I can offer two pieces of advice. First, when you work with XML, you're working with a text-based standard. Because the output of an encryption function is essentially binary output, you need to encode this information by using a base-64 encoder (System.Convert.ToBase64CharArray) or similar tool before you attempt to transmit the information. The second piece of advice is to review the Microsoft Developer Network (MSDN) Webcast "Best Practices for Building Web Services with VS.NET." This Webcast discusses how to create custom encryption logic for use in a Web service. You can find the Webcast at http://www.microsoft.com/usa/webcasts/upcoming/1284.asp
Years ago, custom solutions were common for every problem, but as the industry has matured, so has the need for common solutions. One such set of solutions is the Global XML Web Services Architecture (GXA) proposals. One of the proposed standards in the GXA proposals is WS-Security. WS-Security offers standard extensions to the Simple Object Access Protocol (SOAP) headers that XML requests use. The standard extensions provide encryption for the credentials associated with a Web request. This evolving standard provides a more robust security framework that isn't based on the SSL transport protocol. However, an often-overlooked problem is that to use this standard, you still need to modify the browser-based clients.
Such a modification will undoubtedly be available for Microsoft Internet Explorer (IE) shortly after confirmation of the standard, but other browsers that aren't backed by a major corporation might not be updated for years. As a result, adoption of such standards will tend to rely on a client-based solution that isn't browser-based. Microsoft provides the source code that you'll need to implement WS-Security and an example of how to use the WS-Security standard at these respective URLs:
Next week, I'll show you a new feature that comes with Windows .NET Server (Win.NET Server) 2003. This new feature lets you better integrate Web services with applications and provides greater scalability and reliability. In the meantime, I've created sample projects that show many of the basic .NET object capabilities and how to take advantage of Web services as part of your class library. If you would like a copy of these sample projects, email me at [email protected] and I'll send you a .zip file that contains the projects.
SPONSOR: WINDOWS & .NET MAGAZINE LIVE!
WINDOWS & .NET MAGAZINE LIVE! TO CO-LOCATE WITH XML WEB SERVICES CONNECTIONS
Real-World Tips and Solutions Here for You
Register now for Windows & .NET Magazine LIVE! and attend concurrently run XML Web Services Connections sessions for FREE. This conference is chock full of "been there, done that" information from people who use these technologies in the real world.
Immediately increase your productivity with shortcuts, tips, and tricks you'll learn. Solve those tough interoperability issues, enhance systems administration with new tools, learn how .NET will impact your job, and find out how to make Web services payoff for you and your career. Benefit from our mix of speakers representing magazine authors, Microsoft architects, and third-party gurus. This must-attend event is loaded with practical information you can use right away to help keep your skills sharp.
Find out how to save over $4,500 by extending your stay to include Microsoft ASP.NET Connections, VS.NET Connections, and SQL Server Magazine LIVE!. Hurry before this offer expires, go to:
(brought to you by Windows & .NET Magazine and its partners)
Time is running out to register for the Windows & .NET Magazine Security Road Show 2002, coming next week to Denver and San Francisco. Register now and hear Mark Minasi and Paul Thurrott address the topic on everyone’s mind: security. Sign up today before it’s too late!
"The Insider's Guide to IT Certification" eBook is hot off the presses and contains everything you need to know to help you save time and money while preparing for certification exams from Microsoft, Cisco Systems, and CompTIA and have a successful career in IT. Get your copy of the Insider's Guide today!
3. NEW AND IMPROVED
(contributed by Sue Cooper, [email protected])
AppsChannel released Visual Workbench, a Visual Studio .NET add-on that extends the IDE. Visual Workbench uses flowcharts to conceptualize and render a programming solution in one step. You can use the resultant XML-logic flowcharts repeatedly to generate in-context source code directly to the code editor window in projects that use the Visual Basic .NET and Visual C# .NET languages. AppsChannel plans to support Visual J# .NET and Visual C++ .NET in the future. Visual Workbench costs $499 per licensed copy. Contact AppsChannel at 918-245-2968 or [email protected]
4. CONTACT US
Here's how to reach us with your comments and questions:
- ABOUT DEVELOPER .NET PERSPECTIVES — [email protected]
- ABOUT THE NEWSLETTER IN GENERAL — [email protected]
(please mention the newsletter name in the subject line)
- TECHNICAL QUESTIONS — http://www.winnetmag.net/forums
- PRODUCT NEWS — [email protected]
- QUESTIONS ABOUT YOUR DEVELOPER .NET UPDATE SUBSCRIPTION?
Customer Support — [email protected]
- WANT TO SPONSOR DEVELOPER .NET UPDATE?
This weekly email newsletter is brought to you by Windows & .NET Magazine, the leading publication for Windows professionals who want to learn more and perform better. Subscribe today.
Receive the latest information about the Windows and .NET topics of your choice. Subscribe to our other FREE email newsletters.