Thursday, July 17, 2008

08 - Securing Web Services

Securing a Web Service :-

Whether your Web service is made available on a subscription basis or is completely free to the public, it is important to consider security.

There are many options for securing Web applications and services. The following are the most common techniques :-

· Username-password: Used to provide custom database based access control. This is an authentication service.

· Secure Sockets Layer (SSL): Used to ensure that the data transfer across the Web is encrypted. However, it does not protect access to the Web service itself.

· IP address restriction: Used to specify valid IP addresses that can access the service. However, you need user's authentication even if the IP is the same.

· Web services Enhancements: A toolkit from Microsoft that adds a whole new set of specifications for making your Web services secure.

These methods are not mutually exclusive, and can be combined to provide a higher level of security.

1). Username-Password Combination or Registration Keys :-

By requiring either a username-password pair or a registration key code as an input parameter, you can provide a way to track which consumers are using your Web service. A simple database table or XML file containing each username-password pair or registration key code is all that's required to provide this kind of security.

2). Secure Sockets Layer (SSL)

The most common method of securing information on the Web is the Secure Sockets Layer (SSL). When you make an online purchase, you'll typically see a lock or key icon displayed in the browser's status bar to let you know your communication is secure. Information passed between the browser and the Web site travels in an encrypted form.

In the case of Web services, applying SSL ensures that the data traveling between the consumer and the endpoint is encrypted hence difficult to intercept.

SSL has no effect on the integrity of the data provided by your Web service. When a value is returned to the consumer, it remains the same regardless of the encryption used in its transportation. The only downside is that it affects the overall performance of your site, as more processing is required. You can get more information about verifying your identity for use with SSL from a Certificate Authority like Verisign ( We discuss SSL in more detail in the next chapter.

3). IP Address Restriction

Maintaining an IP address list of all registered users can help control the use of a Web service. This approach presents a number of potential issues, the greatest being the never-ending maintenance of IP address ranges for each client. IP address restriction can take place at both hardware and software levels.

Hardware Level :-

A hardware application of this security typically involves firewall restrictions to specific IP addresses.

Software Level :-

A). Restricting IP access using software security often involves keeping a database table of clients and another with associated IP addresses.

Each time a Web service is accessed, you can get the client's IP address (using the HTTP headers) and confirm that it exists in the security tables. If a match is located, the Web service executes normally.

B). Another option for software-based IP-address security is at the Web server level. Most Web server software permits any number of IP addresses to be restricted or enabled. Within IIS, it's as simple as selecting the properties of a given site and changing the IP restrictions. Since maintaining IP addresses of clients can be terribly cumbersome, as well as overly restrictive (if a consumer's IP address changes frequently), this option is generally not recommended.

4). Web Services Enhancements (WSE)

The Web services Enhancements (WSE) toolkit is a set of classes,d that allow developers to build Web services, using specifications from the Global XML Architecture (GXA).

The GXA specs are a set of specifications, that cover security, Web service discovery, routing, and attachments that were developed jointly by Microsoft and IBM with the aim of building a framework by which all Web services would be developed in the future.

The largest part of the WSE is the WS Security specification, and this contains classes that can enable you to use authorization and authentication with your Web services, as well as being able to sign and verify services and details for their encryption.

The WSE toolkit can be downloaded for free from

Thanks & Regards,

Arun Manglick || Senior Tech Lead

No comments:

Post a Comment