8 Security and Unmanaged Code CERTIFICATION OBJECTIVES 8.01 Implement Security 8.02 Access Unmanaged code ✓ Two-Minute Drill Q&A Self Test CertPrs8 / MCAD/MCSD XML Web Services and Server Components Development with Visual Basic .NET / Lind / 222653-6 / Chapter 8 P:\010Comp\CertPrs8\653-6\ch08.vp Wednesday, October 30, 2002 9:50:09 AM Color profile: Generic CMYK printer profile Composite Default screen I n this chapter, you will learn about two topics: security for the Windows services, .NET Remoting objects, and XML Web Services and how to access legacy COM+ components. The security implementation will cover how to configure and use the different security mechanisms available through the .NET Framework, and how to integrate the Windows authentication systems as well as the authorization needed to access resources. A large number of existing COM and COM+ applications are in use today— it will take a long time to move beyond the use of them in all but total rewrite situations. You will look at how to make use of these components from a Visual Basic .NET application. CERTIFICATION OBJECTIVE 8.01 Implement Security You need to consider security for XML web services just as you do for any other software product on a network. As with other software products, there are three aspects of security that you must consider: authentication, authorization, and secure communication. Authentication Authentication is the process of verifying that the client is truly who he or she claims to be—this is done by collecting credentials (name and password) from the user. The credentials are validated against an authority like a database—if the credentials are valid, the client is an authenticated identity. The authorization configuration is performed on IIS because IIS is the service that the consumer will interact with to get access to an XML web service. Internet Information Services (IIS) offers three security mechanisms: ■ Basic authentication The basic authentication method is a widely used standard method for collecting name and password information from the consumer. This method is part of the HTTP specification and is a standard 2 Chapter 8: Security and Unmanaged Code CertPrs8 / MCAD/MCSD XML Web Services and Server Components Development with Visual Basic .NET / Lind / 222653-6 / Chapter 8 P:\010Comp\CertPrs8\653-6\ch08.vp Wednesday, October 30, 2002 9:50:09 AM Color profile: Generic CMYK printer profile Composite Default screen that is widely supported by browsers. It transmits the security credentials in clear text, resulting in a possible security breach unless the transmission channel is encrypted using Secure Sockets Layer (SSL). ■ Digest authentication The W3C has introduced digest authentication as a replacement for the basic authentication method. In digest authentication, a binary hash is built from the name, password, requested resource, HTTP method, and some random values generated from the server. To generate a hash, the browser applies an algorithm that is considered one-way, meaning that there is no known way of getting back to the clear text from the binary hash. This hash is then sent to the IIS server, which verifies that the hash is the same as it received when performing the same hash calculation on the user information as stored in the active directory. Digest authentication is supported starting in HTTP 1.1. ■ Integrated Windows authentication This authentication is based on the consumer having a Windows account that can be used for authentication. The strength of integrated Windows authentication is that the username and password are not sent across the network. Rather, a hash of the credentials is used. In addition, the method can make use of the Kerberos V5 protocol to take advantage of the secret-key cryptography provided in Active Directory and Kerberos V5. The biggest problem with integrated Windows authentication is that the server and the client must have network communication over TCP/IP ports for the authentication—these ports are normally never left open on any devices that are used on the Internet because of the risk of intrusion into the system from Internet hackers. You can also use custom SOAP headers, to add your own authentication mechanism instead of using the built-in solutions. An XML web service consumer can add credentials to the SOAP header that are then retrieved by the XML web service, which can use the credentials to authenticate the consumer. For a refresher on SOAP, see Appendix D. IIS Authentication In order to configure authentication for an XML web service, you need to configure IIS through the Internet Services Manager. To start the Internet Services Manager, Implement Security 3 CertPrs8 / MCAD/MCSD XML Web Services and Server Components Development with Visual Basic .NET / Lind / 222653-6 / Chapter 8 P:\010Comp\CertPrs8\653-6\ch08.vp Wednesday, October 30, 2002 9:50:09 AM Color profile: Generic CMYK printer profile Composite Default screen select Start | Settings | Control Panel | Administrative Tools | Internet Services Manager. The program is shown in the following illustration. Remember that the authentication method for Windows authentication is set in IIS. In the Tree view, expand first the server and then the Default Web Site; you will see several entries, as shown in Figure 8-1. Select the web site you want to configure, right-click it, and select Properties. This will open the Default Web Site properties dialog box. Click the Directory Security tab as shown in Figure 8-2. Security settings are configured under the Anonymous Access And Authorization Control section. Click Edit to open the Authentication Methods dialog box shown in the following illustration. 4 Chapter 8: Security and Unmanaged Code CertPrs8 / MCAD/MCSD XML Web Services and Server Components Development with Visual Basic .NET / Lind / 222653-6 / Chapter 8 P:\010Comp\CertPrs8\653-6\ch08.vp Wednesday, October 30, 2002 9:50:09 AM Color profile: Generic CMYK printer profile Composite Default screen You can configure authentication in this dialog box. The default setting is that anonymous access is permitted. You can change the anonymous authentication configuration with the proxy account in the Anonymous User Account dialog box, Implement Security 5 CertPrs8 / MCAD/MCSD XML Web Services and Server Components Development with Visual Basic .NET / Lind / 222653-6 / Chapter 8 FIGURE 8-1 The expanded content of the default web site P:\010Comp\CertPrs8\653-6\ch08.vp Wednesday, October 30, 2002 9:50:09 AM Color profile: Generic CMYK printer profile Composite Default screen 6 Chapter 8: Security and Unmanaged Code CertPrs8 / MCAD/MCSD XML Web Services and Server Components Development with Visual Basic .NET / Lind / 222653-6 / Chapter 8 brought up when you click Edit in the Anonymous Access section. The proxy account must be given the most restrictive access to the site possible. If you configure Basic Authentication in the Authentication Methods dialog box, you must make sure that the accounts that will access the XML web service are given permission to log on to the web server that is hosting the XML web service. FIGURE 8-2 The Properties dialog box P:\010Comp\CertPrs8\653-6\ch08.vp Wednesday, October 30, 2002 9:50:10 AM Color profile: Generic CMYK printer profile Composite Default screen If you configure Digest Authentication For Windows Domain Servers, the domain controls must have a reversible encrypted (clear-text) copy of the account’s password to be used when comparing against the hash the consumer sends in. You will be requested to agree to the clear-text passwords when you select digest authentication. If you configure integrated Windows authentication, the user will not be prompted for credentials unless the integrated Windows authentication fails. Integrated Windows authentication cannot pass a firewall unless the administrator opens additional ports. It is highly unlikely that the administrator will do so because of the security risk involved. Once the IIS configuration is complete, the XML web service must be configured to use the required authentication. This is done by editing the Web.config file that is located in the root directory for the XML web service. This file is also called the application configuration file. To enable the Windows-based authentication method (basic, digest, or integrated Windows) that was configured with IIS, add the following to the Web.config file: <configure> <system.web> <authentication mode = "Windows" /> </system.web> </configure> To access the user credentials programmatically, you can use the Context object as in this demo web method from Visual Studio .NET: <WebMethod()> _ Public Function HelloWorld() As String return "Hello World " + Context.User.Identity.Name End Function Implement Security 7 CertPrs8 / MCAD/MCSD XML Web Services and Server Components Development with Visual Basic .NET / Lind / 222653-6 / Chapter 8 P:\010Comp\CertPrs8\653-6\ch08.vp Wednesday, October 30, 2002 9:50:10 AM Color profile: Generic CMYK printer profile Composite Default screen The result of this web method is shown here: When you consume an XML web service by using the wsdl tool or by adding a web reference in Visual Studio .NET, the proxy class will inherit from the SoapHttpClientProtocol class. Through this class, you have access to the Credentials property that is used to read or set security credentials. In order to control the authentication process, you can use the NetworkCredential class as shown in the following code segment: ' instantiate the XML Web Service proxy Dim ws As WService = New WService() ' get a NetworkCredential object Dim cred As ICredentials cred = New NetworkCredential("Ken", "password", "nop.com") ' configure the client credentials ws.Credentials = cred Dim s As String Try s = ws.HelloWorld() Catch Console.WriteLine("Authentication Failed!") End Try Use the NetworkCredential class to pass the authentication when calling an XML web service. 8 Chapter 8: Security and Unmanaged Code CertPrs8 / MCAD/MCSD XML Web Services and Server Components Development with Visual Basic .NET / Lind / 222653-6 / Chapter 8 P:\010Comp\CertPrs8\653-6\ch08.vp Wednesday, October 30, 2002 9:50:10 AM Color profile: Generic CMYK printer profile Composite Default screen Implement Security 9 CertPrs8 / MCAD/MCSD XML Web Services and Server Components Development with Visual Basic .NET / Lind / 222653-6 / Chapter 8 EXERCISE 8-1 Using Network Credentials In this exercise, you will build an XML web service and configure the authentication for it. You will also learn about how to create authentication accounts for the local server. The second part of this exercise deals with the consumer of the web service, and how to use the NetworkCredential class to send authentication information to an XML Web Service. 1. Create a new Visual Basic .NET project based on the ASP.NET Web Service template. Name the project HelloSecure. 2. Open the code module and change the namespace of the Web service from http://temuri.org to http://secure.ws. P:\010Comp\CertPrs8\653-6\ch08.vp Wednesday, October 30, 2002 9:50:10 AM Color profile: Generic CMYK printer profile Composite Default screen 10 Chapter 8: Security and Unmanaged Code CertPrs8 / MCAD/MCSD XML Web Services and Server Components Development with Visual Basic .NET / Lind / 222653-6 / Chapter 8 3. Change the name of the class to SHello. <WebService(Namespace:="http://secure.ws/")> _ Public Class SHello Inherits System.Web.Services.WebService . End Class 4. Implement a web method named HelloWorld() that returns a string. <WebMethod()> Public Function HelloWorld() As String . End Function 5. In the return statement for the HelloWorld() web method, you need to append the name of the user that was authenticated to use the web method. The Context.User.Identity.Name property will give you that information. <WebMethod()> Public Function HelloWorld() As String Return "Hello World " + Context.User.Identity.Name End Function 6. Save and build the Web Service. 7. To test the web service, run the XML Web Service help application by pressing F 5. The result of running the HelloWorld() web method should look like this: Notice that the user identity is blank. That is because the web service at this moment is configured to use anonymous authentication. The next step is to P:\010Comp\CertPrs8\653-6\ch08.vp Wednesday, October 30, 2002 9:50:10 AM Color profile: Generic CMYK printer profile Composite Default screen [...]... Services and Server Components Development with Visual Basic NET / Lind / 222653-6 / Chapter 8 Security and Unmanaged Code 19 In the click event handler, you will need to declare a variable (ws) that will be a reference to the web service and instantiate that service ' instantiate the XML Web Service proxy Dim ws As localhost.SHello ws = New localhost.SHello() 20 Declare a variable to represent the security. .. Generic CMYK printer profile CertPrs8 Composite Default screen / MCAD/MCSD XML 28 Chapter 8: Web Services and Server Components Development with Visual Basic NET / Lind / 222653-6 / Chapter 8 Security and Unmanaged Code that the code is running under, and the identity encapsulates information about the user and the entity that has been authenticated The NET Framework has four classes that are used to encapsulate... are some issues with the COM components, though The first is that they are native code for the platform, and they execute in their own unmanaged process spaces In order to effect communication between the managed code in your XML web service and the unmanaged code in the COM component, you need to marshal the method call and the data between the two environments This accomplished using InterOp, or more... site, and select Properties from the context menu This will open the HelloSecurity properties dialog P:\010Comp\CertPrs8\653-6\ch08.vp Wednesday, October 30, 2002 9:50:11 AM Color profile: Generic CMYK printer profile CertPrs8 Composite Default screen / MCAD/MCSD XML 12 Chapter 8: Web Services and Server Components Development with Visual Basic NET / Lind / 222653-6 / Chapter 8 Security and Unmanaged Code. .. MCAD/MCSD XML 30 Chapter 8: Web Services and Server Components Development with Visual Basic NET / Lind / 222653-6 / Chapter 8 Security and Unmanaged Code XML web services—one for secure communication and one for open communication This is a very functional solution There are a number of options that can be used to encrypt the traffic between the XML web service and the consumer Look at two of those options... profile: Generic CMYK printer profile CertPrs8 Composite Default screen / MCAD/MCSD XML 32 Chapter 8: Web Services and Server Components Development with Visual Basic NET / Lind / 222653-6 / Chapter 8 Security and Unmanaged Code provides Data Encryption Standard (DES) support The following code segment shows how to use the class: Dim cryptographer As ICryptoTransform Dim decryptographer As ICryptoTransform... Basic, and SSL P:\010Comp\CertPrs8\653-6\ch08.vp Wednesday, October 30, 2002 9:50:14 AM Color profile: Generic CMYK printer profile CertPrs8 / screen Composite DefaultMCAD/MCSD XML Web Services and Server Components Development with Visual Basic NET / Lind / 222653-6 / Chapter 8 Access Unmanaged Code 33 CERTIFICATION OBJECTIVE 8.02 Access Unmanaged Code The distributed environment that has been, and still... MCAD/MCSD XML 20 Chapter 8: Web Services and Server Components Development with Visual Basic NET / Lind / 222653-6 / Chapter 8 Security and Unmanaged Code EXERCISE 8-3 Adding Accounts to the Server In this exercise, you will create a number of security accounts for your server so that you can test the client for the HelloSecure web service Note that computer and account names will vary because the servers... messages are encrypted and what messages are encrypted Now that you have identified the options, you will look at how to implement SSL and custom SOAP extensions Implementing SSL SSL is based on security certificates A security certificate is a binary structure that has been issued by a trusted certificate authority (CA) The standard certificates are called X.509 certificates, after the standard number You... Default screen / MCAD/MCSD XML 24 Chapter 8: Web Services and Server Components Development with Visual Basic NET / Lind / 222653-6 / Chapter 8 Security and Unmanaged Code FROM THE CLASSROOM One of the vexing issues with Windows native authentication is that it is based on protocols that require the use of additional TCP/IP ports Depending on the client and if Active Directory is installed, these ports might . 8 Security and Unmanaged Code CERTIFICATION OBJECTIVES 8.01 Implement Security 8.02 Access Unmanaged code ✓ Two-Minute Drill Q&A. part of the HTTP specification and is a standard 2 Chapter 8: Security and Unmanaged Code CertPrs8 / MCAD/MCSD XML Web Services and Server Components Development